Data of 200 Million Yahoo Users Pops Up for Sale on the Dark Web
Hacker is asking for $1,800 for the entire data set
A listing has been published today on TheRealDeal Dark Web marketplace, claiming to be offering data on over 200 million Yahoo users.
While Yahoo says it is currently investigating the breach, the listing has almost instant credibility since it’s been put up for sale by the infamous Peace_of_Mind (Peace), the same hacker behind many other verified and proven breaches.
If the name still doesn’t ring a bell, you should know that Peace previously sold data dumps from sites such as LinkedIn, MySpace, Tumblr, Fling.com, and VK.com. In total, this hacker sold the personal details of over 800 million users, and probably more.
Data breach dates back to 2012
According to the listing’s descriptions, Peace says the data is old, approximately from 2012, the same year when Marissa Mayer was named Yahoo’s CEO. Back in 2012, the hacker group D33ds Company reported hacking Yahoo, but the company admitted to only losing 450,000 user records during the incident.
Last week, Yahoo was acquired by Verizon for $4.8 billion. Since nobody knows Verizon’s plan for Yahoo, the hacker’s probable plan is to monetize the user accounts before they lose any more value, in the case Verizon decides to ditch them or integrate them into other services.
In a conversation with Softpedia about his recent Dark Web listing, Peace told your reporter that “I am not aware when Marissa Mayer started working, however in 2012 is when the database was dumped by [the] same [R]ussians of linkedin, vk, tumbr etc etc. [B]asically anything I sell is from the group.”
Passwords included. They can be cracked.
Peace has put up the data for 3 Bitcoin (approximately ~$1,800), and based on the sample he provided, the data dump includes details such as usernames, MD5-hashed passwords, and dates of birth for all users. For some records, there is also a backup email addresses, country of origin, and ZIP code for US users.
Since the passwords are MD5-encrypted, Yahoo users are in a world of trouble right now, since MD5 hashes can be decrypted almost instantly these days, meaning their passwords are practically exposed as cleartext.
Softpedia has reached out to Yahoo regarding the incident. The company hasn’t acknowledged the incident just yet, saying they’re still investigating. As per Yahoo’s statement:
“ We are aware of a claim. We are committed to protecting the security of our users’ information and we take any such claim very seriously. Our security team is working to determine the facts. Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms. ”
Peace made over $65,000 from his data dumps
In conversations with other hackers on TheRealDeal, your reporter was told that many of today’s Dark Web sellers are now actively seeking to make their listings public to the press, taking inspiration from Peace.
The reason behind their approach is simple and has to do with the huge media coverage that has boosted Peace’s sales. One of those sellers told your reporter that Peace made around $50,000 just from the LinkedIn breach.
“[A] little bit over that amount,” Peace told Softpedia, validating the rumors we previously heard. “65k [USD] including the other breaches,” he also added.
If confirmed, the Yahoo breach will no doubt bring the same attention from the media as the other breaches, and it will certainly help Peace net over $100,000 in just two-three months.
Right now, we recommend users to follow Yahoo’s advice and change their account passwords just in case their data was included in the records sold by Peace.
UPDATE [August 2, 2016]: We were made aware of a similar report on Peace’s Yahoo listing from Motherboard. The publication received a batch of 5,000 Yahoo credentials from Peace, and after testing a few, they found that a large batch of the data belonged to abandoned email accounts. This is consistent with a Yahoo annoncement from 2013, when the company decided to deactivate inactive accounts and even free up inactive IDs for re-registration. This doesn’t mean Peace’s data is fake.
Softpedia has also acquired a supposed copy of the Yahoo! Voice breach by D33Ds Company from 2012, thanks to @Cyber_War_News. Preliminary tests carried out by Cyber War News showed no connection between Peace’s sample data and the 2012 data. We we’ll update the article when our own analysis concludes.