Hacker Selling Data For 200 Million Yahoo Users On The Dark Web

An anonymous reader writes from a report via Softpedia: A listing was published today on TheRealDeal Dark Web marketplace claiming to be offering data on over 200 million Yahoo users, sold by the same hacker that was behind the LinkedIn, Tumblr, MySpace, and VK data dumps. In statements to Softpedia, Yahoo said it was investigating the breach, but based on the seller's reputation, it is very likely the data is authentic. The data is up for sale for 3 Bitcoin (approximately ~$1,800), and based on the sample the hacker provided, the data dump includes details such as usernames, MD5-hashed passwords, and dates of birth for all users. For some records, there is also a backup email address, country of origin, and ZIP code for U.S. users. The hacker, called Peace, has also told Softpedia that he previously made $50,000 from the LinkedIn breach alone, and over $65,000 in total from all breaches.

that many, huh?

[turkeydance]

Price is Right Rules: closest without going over.

Re: that many, huh?

[RCourtney]

Not sure if they still do this by default, but years ago when we signed up for AT&T DSL, the email boxes they gave used the various AT&T domain names but were (and are still) hosted by Yahoo and are accessable on mail.yahoo.com

Re: that many, huh?

[RCourtney]

My bad - this was suppose to be attached to the comment below re: people still use yahoo???

What?

[Anonymous Coward]

Please pick one:
1. People still use Yahoo?
2. Yahoo still exists?
3. WTF is Yahoo? (Millennial-oriented choice)

Re:What?

[mwvdlee]

I just think it's nice somebody will be using my account again.

Re:

[Anonymous Coward]

Hell, I'd like to be able to get into my account again. Even though I know my password, Yahoo won't let me in unless I follow a confirmation link sent to a deactivated e-mail account. Nice to see that they care enough about security to keep their users out and let hackers in.

Re:

[wierd_w]

I use mine as the catch bin for those as shoe sites that demand an email adress before they will cough up a download link for a pice of software I want. It is a raging maelstrom of spam and worse inside that inbox. If the hacker thinks that account will be useful to them, I laugh at the very thought.

The kinds of people that this hacker would be selling this cache of accounts to are the very ones that necessitated the account's creation. If it werent for the obscessive compulsive greed of certain "content cr

Re:

[wierd_w]

Damped phone. "Shoe sites?" What, does this thing think I am a teenage girl? Wtf?

Should be "shit sites".

Re:

[Rakarra]

Hell, I'd like to be able to get into my account again. Even though I know my password, Yahoo won't let me in unless I follow a confirmation link sent to a deactivated e-mail account. Nice to see that they care enough about security to keep their users out and let hackers in.

Wouldn't this mean that hackers are just as locked out of your account as you are?

One word: Subsidiaries

[ZorinLynx]

If you use Flickr, that's Yahoo. And Flickr is a pretty good service for photographers.

That's just one example; these big companies usually own "smaller" sites that you might use without even knowing it's the big company behind the scenes.

Re:

[93 Escort Wagon]

Actually, like a lot of huge companies buying other companies - Yahoo seemed to have done it's darnedest to ruin Flickr for photographers after purchasing it.

Re:

[orgelspieler]

They absolutely did. It was one of the saddest parts of my life. I basically gave up photography because of it. At least I have more time for my music now...

Re:

[orgelspieler]

I am not alone in this. Once Yahoo! bought Flickr, it immediately ceased being an interesting site for budding photographers to learn about what was then a fairly new medium. It had been a vibrant community of like-minded hobbyists trying to improve their craft. As soon as Yahoo! bought it, it because a Shutterfly / Facebook / Chive wannabe, and almost everybody in my circles abandoned it. Some went to DiviantArt, some tried Picasa, but a lot of us just stopped sharing photos publicly. It was sad: I had a l

Re:

[allo]

Yahoo Mail is still quite popular, because it was one of the good free mailers and had less invite / phone verification bullshit than gmail. Of course google is now dominating, especially because of android.

MDWhat?

[cloud.pt]

You gotta be kidding me, they're storing passwords as MD5 hashes... There goes my spam Yahoo mail account. Anyone got good alternatives that aren't Google bound?

Re:MDWhat?

[TFlan91]

I was thinking the same thing... How is the world is a company the size and age of Yahoo still using MD5 to store passwords...

It takes at most 2/3 hours to setup some type of blowfish hashing scheme.

Rule #1 when dealing with encryption: someone else has done it before and has done it better. Never rewrite the wheel. (Unless you are an actual expert in the field)

Re:

[michelcolman]

Well, they didn't rewrite the wheel, did they? They just picked any old wheel they saw lying around, and that just happened to be MD5. And as long as it didn't squeak, they kept using it.

Re:

[michelcolman]

Please tell me they at least salted them?

Re:

[geekmux]

Please tell me they at least salted them?

Password salt is apparently only served over fresh ice cream.

In Hell.

(I've been asking this same question for over 20 years now, hence the analogy.)

Re:MDWhat?

[hcs_$reboot]

No, they're actually clear text passwords. Yahoo users just enjoy having 32 random hex chars passwords.

Re:MDWhat?

[geekmux]

You gotta be kidding me, they're storing passwords as MD5 hashes... There goes my spam Yahoo mail account. Anyone got good alternatives that aren't Google bound?

And you're concerned here why exactly?

Being worried about how to secure your spam hole is kind of like putting a lock on the outhouse door to protect your shit.

Literally.

Re:

[geekmux]

The OP may have meant they used it just for signing up to websites since that's one way your email can get sold or stolen by spammers. It doesn't make sense to just have an email setting around just so it can get spam messages without actually using it anywhere.

Either way, the lock on the outhouse door being akin to this concern still stands.

You're still worried about shit.

Re:

[cloud.pt]

Yeap, that's exactly what I meant, so basically some less important services I sign up to using my yahoo account have now been compromised because someone didn't read the fking RFC memo.

Re:

[WallyL]

I like locking the door so nobody walks in on me while I'm in there! Any other time, yeah, no biggie.

Re:

[synapse7]

LOL.. where were you the last time this happened and the passwords were CLEAR text and made available for free!!!

Data from 2012

[Anonymous Coward]

The article said it looked like this info was stolen in 2012. I would hope that Yahoo isn't still using MD5 fours years later but you never know. At the very least, this will provide another nice rich library to use to use for same account/password attacks and add to dictionary attacks.

200m users

[silas_moeckel]

Worth less than 2k well they are yahoo users, so thats mostly peoples grandma's?

Re:

[hcs_$reboot]

Well, after removing duplicates, unused and fake accounts (took time to have captcha at the beginning) you get 2k valid accounts. So the rating seems quite right.

Re:

[ArchieBunker]

No you start cross checking other sites for the same login and password.

Re:

[toonces33]

Mine is used mainly for lame websites that want to force you to register, but I never read the email sent there. At one time I had somewhat important stuff there, but I switched things over some time back for those things I do care about.

As it was I had a fairly strong random password with SMS 2FA set up. And I just changed it to and even stronger random password (longer).

But if I lost the account somehow it would barely be classified as a nuisance. I would just create another somewhere or another and mo

Lol, MySpace passwords

[JustAnotherOldGuy]

He should pay people to take the MySpace passwords.

Does this mean...

[__aaclcg7560]

I'll need to change my password for Yahoo Mail for the first time in 20+ years?

In other news,

[wbr1]

The hacker may make more from the sale of the passwords than Yahoo sold to Verizon for.

Brilliant Hacker != Good Businessperson

[speedplane]

This hacker was able to break into the security of LinkedIn, Tumblr, MySpace, and now Yahoo, and has only made a measly $65k? He or she could easily get triple that in less time by working for a reputable IT security company.

Too far

[malditaenvidia]

It's especially heinous to bully senior citizens online, even for a black hat.

Another Day, Another Hack...

[Marlin Schwanke]

Our account data seems to available for the asking. Why do we even bother with having a password anymore?