Yahoo investigating claimed breach and data dump of 200 million users

Tom Mendelsohn

A notorious black hat says he has more than 200 million hacked Yahoo accounts for sale on the dark Web. The company says it is "aware of [the] claim," but is refusing to comment on its veracity. Yahoo accounts are primarily used to log into the company's webmail service, but also for other sites like Flickr.
It's unclear at this point whether Yahoo has itself been breached, but the account data has been publicly available on a Tor-accessible marketplace called The Real Deal since Monday, and is apparently being sold by a hacker known as Peace, who has previously been linked to large-scale sales of MySpace and LinkedIn account details in 2012.
A Yahoo spokesperson said:
We are aware of a claim. We are committed to protecting the security of our users' information and we take any such claim very seriously. Our security team is working to determine the facts. Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms.
The entire dump, which apparently contains usernames, hashed passwords created with the md5 algorithm, dates of birth, and occasional backup email addresses, can be bought for three bitcoins (roughly £1,360 or $1,813).
Motherboard, which broke the story, was privately supplied with a small number of accounts from Peace and found that at least some of the usernames were still valid Yahoo accounts: "When [we] attempted to contact over 100 of the addresses in the sample set, many returned as undeliverable," said Motherboard's report. "'This account has been disabled or discontinued,' read one autoresponse to many of the e-mails that failed to deliver properly, while others read 'This user doesn’t have a yahoo.com account.'"
Peace admitted that the data was "most likely" from 2012, and there's a good chance that the information might have been collated from other hacks, unless Yahoo confirms that the dump originates from a single mighty data breach.
Correction (8/3, 1p CT): The original version of this story incorrectly stated that Motherboard privately purchased some of the data to verify it. It has now been updated to reflect that Motherboard obtained the data through its reporting on Peace. Ars regrets the error.
This post originated on Ars Technica UK

Comments