Yahoo said it is investigating reports that 200 million users’ data is being sold online
Yahoo has confirmed it is “aware” of claims that leaked data on about 200 million of its accounts is being offered for sale, but declined to confirm or deny the legitimacy of the data.
The data went up for sale on the black market website The Real Deal on Monday, listed by an individual or group using the pseudonym “Peace” – the same who previously sold massive data caches stolen from social media services LinkedIn and MySpace.
‘Working to determine the facts’
Yahoo said in a statement it is “aware of a claim” and said its security team is “working to determine the facts”.
The data contains usernames, passwords protected by the MD5 encryption algorithm, dates of birth and in some cases back-up email addresses, according to the marketplace listing, and is offered for 3 Bitcoins, or around £1,400.
The records “most likely” date from 2012, according to the listing.
The user data from previous breaches, particularly the LinkedIn user information, has been linked to attacks on users’ accounts with other services where the same password was reused.
“We always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms,” Yahoo stated.
Peace claimed in an interview with Wired to have been part of a Russian hacking group that targeted technology firms.
The data caches from MySpace, LinkedIn and other services, all of which are several years old, began to appear after the group disbanded, according to reports.
Peace told technology news site Motherboard that like those caches, the Yahoo data had previously been provided to select individuals before going on sale.
The breaches previously linked to Peace include 160 million LinkedIn accounts, 100 million from Russian social media site VK and 360 million from MySpace.
Are you a security pro? Try our quiz!