Do you remember the notorious hacker Peace?
He is the hacker that offered for sale the dumps of LinkedIn and MySpace, and now he has once again a surprise for the security experts.
Peace is advertising 200 million of alleged Yahoo user credentials (from “2012 most likely,”) on the dark web. Yahoo is aware of the amazing sale but it hasn’t commented yet. The hacker is offering the data for 3 bitcoins (roughly $1,800).
Peace is advertising the Yahoo login credentials on The Real Deal black marketplace, according to Motherboard that reached the notorious hacker, he has been trading the data privately for some time, but only the sale is public.
The Yahoo security team is currently investigating the event, meantime, it urges its users to use strong passwords, use different passwords for different and enable two-factor authentication when it is available.
The records in the dump contain usernames, MD5-hashed passwords, dates of birth, and sometimes backup email addresses.
At the time I was writing is still unclear if data has been stolen from Yahoo, or it has been collated from other major data leaks.
Motherboard obtained by Peace a small sample of the data composed of 5000 records before it was publicly offered for sale. Experts verified the data and found that most of the two dozen credentials still belong to active accounts.
“This was done by going to the login section of Yahoo, entering the email address, and clicking next; when the email address wasn’t recognised, it was not possible to continue.” wrote Joseph Cox from Motherboard.
Cox also added that when Motherboard attempted to contact over 100 of the addresses included in the sample, many returned as undeliverable.
“This account has been disabled or discontinued,” read one autoresponse to many of the emails that failed to deliver properly, while others read “This user doesn’t have a yahoo.com account.”
(Security Affairs – Data Breach, Dark Web)