Yahoo! Inc. (NASDAQ: onYHOO) is investigating claims of 200 million user accounts currently for sale on the dark web. Using the nickname Peace (“peace_of_mind”), a notorious hacker is advertising a mega-breach that, according to the criminal, he started back in 2012.
Motherboard first reported the hack, Vice News’ tech magazine, which claims to have heard of the leaf from the cybercriminal directly. The media assures Peace already sold dumps of Yahoo-owned Tumblr and LinkedIn logins last Monday on TheRealDeal marketplace.
Since 2012, the hacker has been selling the data privately, and Peace told Motherboard how he made it public in TheRealDeal, a darknet website offering security exploits, source codes, hacking tools, and hardware, as well as drugs and other illicit services flooding this kind of places.
And where electronic money is the holy grail of wealth, LinkedIn and MySpace credentials are worth three bitcoins, equal to $1,810.14 or £1,360.
What did Yahoo say?
“We are aware of a claim,” told a Yahoo spokesperson to Motherboard in an email, even before the claims of the mega-breach surfaced. Furthermore, the company claimed it’s taking this matter seriously and that Yahoo is “working to determine the facts.”
The leaked information reportedly includes passwords, names, and dates of birth of 200 million Yahoo! Subscribers, although the authenticity of the data is yet unclear. Hacker News adds that the zip codes of some of this likely users also appear in the dump.
Motherboard assured it tested a small sample of the leak (about 5,000 records) and found many of these accounts were abandoned.
Hacker Selling 200 Million #Yahoo Accounts On the Dark Web https://t.co/8MTET7ej5G #password #databreach pic.twitter.com/gVTly2a4ZD
— The Hacker News (@TheHackersNews) August 2, 2016
It appears the hacker already published the details of the algorithm allegedly used for the attack. The designed code hashed the passwords with what is known as a “dictionary attack,” technique for defeating a cipher by trying hundreds, thousand or even millions of likely possibilities, such as words in a dictionary.
A private data leak has been working for month undetected. Even Mark Zuckerberg, the founder of Facebook, had its LinkedIn, Twitter and Pinterest accounts hacked back in early June in a follow-up of breaches that also affected singers, Lana Del Rey and Katy Perry.
Motherboard and Znet dug up the alias of another dark web inhabitant behind the attacks, the hacker Tesla88, who has some rivalry with peace_of_mind. Both hackers (or groups of hackers) have “amusing promises” for the future, as, say, upcoming 800 stolen Facebook accounts.
Tale of 200 Million #Yahoo User Data: One guy selling; one vows to leak for free | https://t.co/um6hLfsb3M #Securiy pic.twitter.com/aSt8oIn2hG
— HackRead (@HackRead) August 2, 2016
Romer states that around 60 percent of fraudulent cyber crimes are committed using stolen credentials, and urges companies to use additional security gates, such as voice recognition, to ensure the privacy of the data.