A hacker has put up the supposed account credentials of 200 million Yahoo users for sale on an underground web marketplace.
The data package is said to contain the usernames, dates of birth, and passwords of 200 million Yahoo users, reports Help Net Security. Those passwords are allegedly protected by the MD5 hash function, but that offers little comfort as attackers can easily break the algorithm.
Also supposedly included in the data dump are the back-up emails, country names, and zip codes of users based in the United States.
The hacker known as peace_of_mind (aka “Peace”) is currently offering the information for 3 Bitcoins (approximately 1,800 USD) on TheRealDeal, a dark web marketplace where they have already advertised access to data dumps from LinkedIn, Tumblr, and elsewhere.
Since Peace began trafficking in users’ stolen account credentials earlier in 2016, GitHub and other web services have implemented password resets after they detected actors targeting their users with password reuse attacks.
At this time, Yahoo has not confirmed or denied the breach. It has, however, acknowledged the existence of the data dump.
As a Yahoo spokesperson told Motherboard:
“We are aware of a claim. We are committed to protecting the security of our users’ information and we take any such claim very seriously. Our security team is working to determine the facts. Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms.”
While Yahoo continues its investigation of the breach, all users of the web-email service should consider changing their passwords and activating two-step verification (2SV) on their accounts.
Users should also remember to never recycle their passwords across multiple accounts. To protect themselves against password reuse attacks, they should create a strong, unique password for each of their profiles.