Are they legit? No one’s picking up at the Purple Palace
User credentials purported to belong to 200 million Yahoo! users are being offered up for sale through a dark web cybercrime shack.
The supposed credentials are being offered for sale by Peace (“peace_of_mind”) – the same miscreant who previously sold LinkedIn and Yahoo-owned Tumblr logins – at an asking price of 3 Bitcoins (or around $1,860) per copy.
The provenance and authenticity of the purloined data is unclear.
El Reg asked Yahoo! for comment on the authenticity of the dump, as well as asking what advice it had for its users, but we’ve yet to hear back. We’ll update this story as and when we hear more.
The leaked information reportedly includes usernames, MD5-hashed1 passwords and the dates of birth of 200 million Yahoo! users.
Some “backup email addresses” as well as the ZIP codes of supposed US users also appear in the dump, Hacker News reports.
Motherboard said it had tested a small sample of leaked dataset and found many pointed to abandoned accounts.
According to Peace, the leaked info dates from 2012.
James Romer, chief security architect Europe at SecureAuth, characterised the Yahoo! dump as the latest in a growing catalogue.
“This year has seen a huge number of compromised user credential breaches from big companies,” Romer said. “Last week it was O2, this week the alleged credentials belong to customers of Yahoo.
But LinkendIn, Twitter and the National Childbirth Trust have all appeared on the 2016 hit list.
“It’s estimated that around 60 per cent of fraudulent cybercrimes are committed using stolen credentials, and we say time and again: having a simple password and username login process is just not enough with the advances in cybercrime and the increasing value of personal data.”
1MD5 hashes are easily breakable since the protocol is well past its sell-by date.
Sponsored: Global DDoS threat landscape report