Going! going! pwned? 200! million! Yahoo! logins! leaked! allegedly!
Legit or not, they're on sale on the dark web
Updated What's claimed to be the login credentials for 200 million Yahoo! accounts is now on sale through a dark web cybercrime shack.
The purported user database dump is being touted by someone called Peace – as in peace_of_mind, the same miscreant who previously sold LinkedIn and Yahoo-owned Tumblr logins – at an asking price of 3 Bitcoins (or around $1,860) per copy. The provenance and authenticity of the purloined data is unclear.
El Reg asked Yahoo! for comment on the authenticity of the dump, as well as asking what advice it had for its users, but we've yet to hear back. We’ll update this story as and when we hear more.
The swiped account information reportedly includes usernames, easily cracked MD5-hashed passwords and the dates of birth of 200 million Yahoo! users. Some "backup email addresses" as well as the ZIP codes of supposed US users also appear in the dump, Hacker News reports.
Motherboard said it had tested a small sample of leaked dataset and found many pointed to abandoned accounts. According to Peace, the leaked info dates from 2012.
James Romer, chief security architect Europe at SecureAuth, characterised the Yahoo! dump as the latest in a growing catalogue.
“This year has seen a huge number of compromised user credential breaches from big companies,” Romer said. “Last week it was O2, this week the alleged credentials belong to customers of Yahoo. But LinkendIn, Twitter and the National Childbirth Trust have all appeared on the 2016 hit list.
“It’s estimated that around 60 per cent of fraudulent cybercrimes are committed using stolen credentials, and we say time and again: having a simple password and username login process is just not enough with the advances in cybercrime and the increasing value of personal data.” ®
Updated to add
“We are aware of a claim," a Yahoo! spokesman told us after publication.
"We are committed to protecting the security of our users’ information and we take any such claim very seriously. Our security team is working to determine the facts. Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms.”