Yahoo says it is investigating reports of 200 million user credentials advertised for sale on the Dark Web by a hacker that goes by the handle “peace_of_mind”.

The Yahoo credentials, according to the site listing the database for sale, includes usernames, passwords (hashed using the MD5 algorithm), birthdates and backup emails for some accounts. The Yahoo credentials are for sale on the hacker marketplace The Real Deal with a price tag of 3 bitcoins or $1,800.

Yahoo declined to confirm the breach, but said in a statement: “We are aware of a claim. We are committed to protecting the security of our users’ information and we take any such claim very seriously. Our security team is working to determine the facts.”

“The odds are good this data is real. It’s simply too hard to fake a dataset that large,” said Ori Eisen, founder and CEO of Trusona. “I think Yahoo is still just realizing what’s going on. They are in the verification stages of this breach.”

Both MySpace and Linked data dumps were linked to the alleged Yahoo credential data broker “peace_of_mind” or Peace. In May, Peace was reportedly behind 117 million LinkedIn user logins for sale on The Real Deal. Two weeks later, Peace was connected to 427 million stolen MySpace credentials available for sale on The Real Deal.

While the validity of a breach and Yahoo user data is still waiting to be verified, news outlets Motherboard and InfoWorld have downloaded samples of the Yahoo database made available by Peace. Both report many of the credentials either no longer working or invalid. Motherboard reported attempting to contact 100 Yahoo email address with “many returned undeliverable.”

It’s unknown where the alleged breached data comes from. Some security experts speculate the data may be part of “leaked” credentials from other breaches, while others tie portions of the database to a breach Yahoo reported in 2012 where 450,000 accounts were compromised.

Despite the fact Yahoo has not issued a password-reset for its users, security experts are urging Yahoo users to change their login credentials. “While Yahoo has not confirmed that the data being sold consists of real user credentials, it hasn’t denied it either. This is an ominous sign – especially in light of the recent MySpace and LinkedIn compromises,” said Adam Levin, chairman and founder of IDT911 in an email interview.

If the Yahoo breach is confirmed it will join a long list of companies hit by mega-breaches that have come to light this year. Those breaches, which include LinkedIn, Tumblr, VK.com, Fling and MySpace, were later tied to password-reuse attacks at Carbonite, Citrix’s GoToMyPC, TeamViewer, Twitter, Github, Tumbler and iMesh.

“Unrelated attackers will buy these usernames and passwords and use sophisticated automation software, like SentryMBA, to bypass application defenses and automatically test these credentials against whatever unrelated site they want to attack,” said Shuman Ghosemajumder, CTO of Shape Security.

 

Categories: Vulnerabilities, Web Security