Yahoo investigating claimed breach and data dump of 200 million users
on
Get link
Facebook
X
Pinterest
Email
Other Apps
Tom Mendelsohn
A notorious black hat says he has more
than 200 million hacked Yahoo accounts for sale on the dark Web. The
company says it is "aware of [the] claim," but is refusing to comment on
its veracity. Yahoo accounts are primarily used to log into the
company's webmail service, but also for other sites like Flickr.
It's unclear at this point whether Yahoo
has itself been breached, but the account data has been publicly
available on a Tor-accessible marketplace called The Real Deal since
Monday, and is apparently being sold by a hacker known as Peace, who has
previously been linked to large-scale sales of MySpace and LinkedIn
account details in 2012.
A Yahoo spokesperson said:
We are aware of a claim. We are
committed to protecting the security of our users' information and we
take any such claim very seriously. Our security team is working to
determine the facts. Yahoo works hard to keep our users safe, and we
always encourage our users to create strong passwords, or give up
passwords altogether by using Yahoo Account Key, and use different
passwords for different platforms.
The entire dump, which apparently contains
usernames, hashed passwords created with the md5 algorithm, dates of
birth, and occasional backup email addresses, can be bought for three
bitcoins (roughly £1,360 or $1,813).
Motherboard, which broke the story,
was privately supplied with a small number of accounts from Peace and
found that at least some of the usernames were still valid Yahoo
accounts: "When [we] attempted to contact over 100 of the addresses in
the sample set, many returned as undeliverable," said Motherboard's
report. "'This account has been disabled or discontinued,' read one
autoresponse to many of the e-mails that failed to deliver properly,
while others read 'This user doesn’t have a yahoo.com account.'"
Peace admitted that the data was "most likely"
from 2012, and there's a good chance that the information might have
been collated from other hacks, unless Yahoo confirms that the dump
originates from a single mighty data breach.
Correction (8/3, 1p CT): The
original version of this story incorrectly stated that Motherboard
privately purchased some of the data to verify it. It has now been
updated to reflect that Motherboard obtained the data through its
reporting on Peace. Ars regrets the error.
Comments
Post a Comment