Yahoo looking into claims of 200 mn hacked accounts being on sale

03 Aug 2016

Yahoo is looking into claims that a hacker linked to "mega-breaches" at MySpace and LinkedIn had posted details of 200 million Yahoo accounts on the dark web.

Usernames, passwords and dates of birth were on offer for sale for three bitcoins (£1,360).

The hacker who used the name Peace, said the data was "most likely" from 2012.

Yahoo claimed to be taking the matter "very seriously" and said it was "working to determine the facts".

"Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms," it said in a statement.

The hacker had published the passwords in a hashed format, but he had also published details of the algorithm allegedly used for the hash.

"The algorithm MD5 is considered to be weak, and for the vast majority of passwords it is easy to reverse what it was using what we call a dictionary attack," BBC News quoted professor Alan Woodward, a security expert from Surrey University.

He, however, added that caution needed to be exercised about the alleged breach.

"We have seen claims about similar dumps in the past weeks which have proved to be fake or just old data," he said.

The stolen records have been put up for sale at  TheRealDeal, a darknet marketplace that offered illegal goods.

In a brief message, the hacker said the Yahoo database had come from a Russian group that breached LinkedIn and Tumblr, in addition to MySpace.

He added that the Yahoo accounts database ''most likely'' comes from 2012, the hacker said. He said copies of the stolen Yahoo database had already been bought.

Yahoo had reported a breach of 450,000 accounts in 2012.

Though a hacking group called D33ds Company had claimed responsibility, Yahoo said that most of the stolen passwords were invalid.