HackDig : Dig high-quality web security articles for hacker

Data of 200 Million Yahoo Users Pops Up for Sale on the Dark Web

2016-08-01 21:15

A listing was published today on TheRealDeal Dark Web marketplace claiming to be offering data on over 200 million Yahoo users.

While Yahoo said to be currently investigating the breach, the listing has almost instant credibility since it's been put up for sale by the infamous Peace_of_Mind (Peace), the same hacker behind many other verified and proven breaches.

If the name still doesn't ring any bells, Peace previously sold data dumps from sites such as LinkedIn, MySpace, Tumblr, Fling.com, and VK.com. In total, this hacker has sold the personal details of over 800 million users, and probably more.

Data breach dates back to 2012

According to the listing's descriptions, Peace says the data is old, approximately from 2012, the same year that Marissa Mayer was named Yahoo's CEO.

Last week, Yahoo was acquired by Verizon for $4.8 billion. Since nobody knows Verizon's plan for Yahoo, the hacker's thinking is to monetize the user accounts before they lose any more value, in the case Verizon decides to ditch them or integrate them into other services.

In a conversation with Softpedia about his recent Dark Web listing, Peace told your reporter that "I am not aware when Marissa Mayer started working, however in 2012 is when the database was dumped by [the] same [R]ussians of linkedin, vk, tumbr etc etc. [B]asically anything I sell is from the group."

Passwords included. They can be cracked.

Peace has put up the data for 3 Bitcoin (approximately ~$1,800), and based on the sample he provided, the data dump includes details such as usernames, MD5-hashed passwords, and dates of birth for all users. For some records, there is also a backup email addresses, country of origin,  and ZIP code for US users.

Since the passwords are MD5-encrypted, Yahoo users are in a world of trouble right now, since MD5 hashes can be decrypted almost instantly these days, meaning their passwords are practically exposed as cleartext.

Softpedia has reached out to Yahoo regarding the incident. The company hasn't acknowledged the incident just yet, saying they're still investigating. Per Yahoo's statement:

  We are aware of a claim. We are committed to protecting the security of our users’ information and we take any such claim very seriously. Our security team is working to determine the facts. Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms.  

Peace made over $65,000 from his data dumps

In conversations with other hackers on TheRealDeal, your reporter was told that many of today's Dark Web sellers are now actively seeking to make their listings public to the press, taking inspiration from Peace.

The reason behind their approach is simple and has to do with the huge media coverage that has boosted Peace's sales. One of those sellers has told your reporter that Peace made around $50,000 just from the LinkedIn breach.

"[A] little bit over that amount," Peace told Softpedia, validating the rumors we previously heard. "65k [USD] including the other breaches," he also added.

If confirmed, the Yahoo breach will no doubt bring the same attention from the media as the other breaches, and will no doubt help Peace net over $100,00 in just two-three months.

Right now, we advise users to follow Yahoo's advice and change their account passwords just in case their data was included in the records sold by Peace.

Peace's Yahoo listing on TRD
Peace's Yahoo listing on TRD


Source: 8605-bew-krad-eht-no-elas-rof-pu-spop-sresu-oohay-noillim-002-fo-atad/swen/moc.aideptfos.swen

Read:2547 | Comments:0 | Tags:Data Breaches

“Data of 200 Million Yahoo Users Pops Up for Sale on the Dark Web”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud