Yahoo probes hacker’s claims of massive data breach

Yahoo investigating alleged data dump of 200 million user accounts to a dark web marketplace, where they are being sold for three bitcoins each 

2 August 2016, 9:00pm
A hacker using the pseudonym “Peace” has uploaded what he said was a data dump of 200 million Yahoo accounts to an underground marketplace on the dark web,

Usernames, passwords and dates of birth are being offered for sale on the marketplace ‘The Real Deal’ for three bitcoins (€1,611).

The technology giant said it was taking the claim of a potential leak “very seriously” and was “working to determine the facts”.

"Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms," it said in a statement.

Peace wrote that the data was “most likely” from 2012 and that passwords in the data dump were hashed with an MD5 algorithm.

"The algorithm MD5 is considered to be weak, and for the vast majority of passwords it is easy to reverse what it was using what we call a dictionary attack," Prof Alan Woodward, a security expert from Surrey University, said.

However, he called for caution to be exercised about the alleged breach.

"We have seen claims about similar dumps in the past weeks which have proved to be fake or just old data," he said. "People are still trying to work out if it is real or not."

Motherboard, the technology news website which first reported the alleged breach, had obtained around 5,000 records from the data, and tested whether they corresponded to real accounts on the service.

It found that most of the first two dozen Yahoo usernames tested did in fact correspond to actual accounts.

However, attempts to contact more than 100 of the addresses in the sample saw many returned as undeliverable with auto-responses reading: "This account has been disabled or discontinued," which might suggest that the data is old.

Brendan Rizzo, technical director at HPE Security, said: "Data has high value to attackers, and even though the information for sale on the black market is several years old, it can still be used for social engineering attacks for spear phishing to attempt to gain access to deeper systems with even more lucrative data that can be monetised directly if stolen."