Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Yahoo! Communications Network Networking Privacy Social Networks The Internet News Technology

Hacker Selling Data For 200 Million Yahoo Users On The Dark Web (softpedia.com) 65

An anonymous reader writes from a report via Softpedia: A listing was published today on TheRealDeal Dark Web marketplace claiming to be offering data on over 200 million Yahoo users, sold by the same hacker that was behind the LinkedIn, Tumblr, MySpace, and VK data dumps. In statements to Softpedia, Yahoo said it was investigating the breach, but based on the seller's reputation, it is very likely the data is authentic. The data is up for sale for 3 Bitcoin (approximately ~$1,800), and based on the sample the hacker provided, the data dump includes details such as usernames, MD5-hashed passwords, and dates of birth for all users. For some records, there is also a backup email address, country of origin, and ZIP code for U.S. users. The hacker, called Peace, has also told Softpedia that he previously made $50,000 from the LinkedIn breach alone, and over $65,000 in total from all breaches.
This discussion has been archived. No new comments can be posted.

Hacker Selling Data For 200 Million Yahoo Users On The Dark Web

Comments Filter:
  • Price is Right Rules: closest without going over.
  • by Anonymous Coward

    Please pick one:
    1. People still use Yahoo?
    2. Yahoo still exists?
    3. WTF is Yahoo? (Millennial-oriented choice)

    • Re:What? (Score:5, Funny)

      by mwvdlee ( 775178 ) on Tuesday August 02, 2016 @08:21AM (#52627731) Homepage

      I just think it's nice somebody will be using my account again.

      • by Anonymous Coward

        Hell, I'd like to be able to get into my account again. Even though I know my password, Yahoo won't let me in unless I follow a confirmation link sent to a deactivated e-mail account. Nice to see that they care enough about security to keep their users out and let hackers in.

        • by Rakarra ( 112805 )

          Hell, I'd like to be able to get into my account again. Even though I know my password, Yahoo won't let me in unless I follow a confirmation link sent to a deactivated e-mail account. Nice to see that they care enough about security to keep their users out and let hackers in.

          Wouldn't this mean that hackers are just as locked out of your account as you are?

    • If you use Flickr, that's Yahoo. And Flickr is a pretty good service for photographers.

      That's just one example; these big companies usually own "smaller" sites that you might use without even knowing it's the big company behind the scenes.

      • Actually, like a lot of huge companies buying other companies - Yahoo seemed to have done it's darnedest to ruin Flickr for photographers after purchasing it.

        • They absolutely did. It was one of the saddest parts of my life. I basically gave up photography because of it. At least I have more time for my music now...
      • I am not alone in this. Once Yahoo! bought Flickr, it immediately ceased being an interesting site for budding photographers to learn about what was then a fairly new medium. It had been a vibrant community of like-minded hobbyists trying to improve their craft. As soon as Yahoo! bought it, it because a Shutterfly / Facebook / Chive wannabe, and almost everybody in my circles abandoned it. Some went to DiviantArt, some tried Picasa, but a lot of us just stopped sharing photos publicly. It was sad: I had a l
    • by allo ( 1728082 )

      Yahoo Mail is still quite popular, because it was one of the good free mailers and had less invite / phone verification bullshit than gmail. Of course google is now dominating, especially because of android.

  • MDWhat? (Score:5, Insightful)

    by cloud.pt ( 3412475 ) on Tuesday August 02, 2016 @08:08AM (#52627675)
    You gotta be kidding me, they're storing passwords as MD5 hashes... There goes my spam Yahoo mail account. Anyone got good alternatives that aren't Google bound?
    • Re:MDWhat? (Score:4, Interesting)

      by TFlan91 ( 2615727 ) on Tuesday August 02, 2016 @08:12AM (#52627699)

      I was thinking the same thing... How is the world is a company the size and age of Yahoo still using MD5 to store passwords...

      It takes at most 2/3 hours to setup some type of blowfish hashing scheme.

      Rule #1 when dealing with encryption: someone else has done it before and has done it better. Never rewrite the wheel. (Unless you are an actual expert in the field)

      • Well, they didn't rewrite the wheel, did they? They just picked any old wheel they saw lying around, and that just happened to be MD5. And as long as it didn't squeak, they kept using it.

    • Please tell me they at least salted them?

      • Please tell me they at least salted them?

        Password salt is apparently only served over fresh ice cream.

        In Hell.

        (I've been asking this same question for over 20 years now, hence the analogy.)

    • Re:MDWhat? (Score:4, Funny)

      by hcs_$reboot ( 1536101 ) on Tuesday August 02, 2016 @08:59AM (#52628003)
      No, they're actually clear text passwords. Yahoo users just enjoy having 32 random hex chars passwords.
    • Re:MDWhat? (Score:5, Insightful)

      by geekmux ( 1040042 ) on Tuesday August 02, 2016 @09:00AM (#52628011)

      You gotta be kidding me, they're storing passwords as MD5 hashes... There goes my spam Yahoo mail account. Anyone got good alternatives that aren't Google bound?

      And you're concerned here why exactly?

      Being worried about how to secure your spam hole is kind of like putting a lock on the outhouse door to protect your shit.

      Literally.

      • by WallyL ( 4154209 )

        I like locking the door so nobody walks in on me while I'm in there! Any other time, yeah, no biggie.

    • LOL.. where were you the last time this happened and the passwords were CLEAR text and made available for free!!!

    • by Anonymous Coward

      The article said it looked like this info was stolen in 2012. I would hope that Yahoo isn't still using MD5 fours years later but you never know. At the very least, this will provide another nice rich library to use to use for same account/password attacks and add to dictionary attacks.

  • Worth less than 2k well they are yahoo users, so thats mostly peoples grandma's?

    • Well, after removing duplicates, unused and fake accounts (took time to have captcha at the beginning) you get 2k valid accounts. So the rating seems quite right.
    • No you start cross checking other sites for the same login and password.

  • He should pay people to take the MySpace passwords.

  • I'll need to change my password for Yahoo Mail for the first time in 20+ years?
  • The hacker may make more from the sale of the passwords than Yahoo sold to Verizon for.
  • This hacker was able to break into the security of LinkedIn, Tumblr, MySpace, and now Yahoo, and has only made a measly $65k? He or she could easily get triple that in less time by working for a reputable IT security company.
  • It's especially heinous to bully senior citizens online, even for a black hat.
  • Our account data seems to available for the asking. Why do we even bother with having a password anymore?

grep me no patterns and I'll tell you no lines.

Working...