A hacker who has previously offered to sell user data from MySpace and LinkedIn on the Dark Web is reportedly now shopping around the credentials of 200 million Yahoo users.
The cyber thief, who goes by the name “Peace,” is seeking to sell the Yahoo data for three bitcoins (a little over $ 1,730), according to a report yesterday by Motherboard. Peace is quoted as saying that the information, which “most likely” dates to 2012, includes usernames and hashed passwords, along with dates of birth, among other data.
“We are aware of a claim,” a Yahoo spokesperson told us by email today. The spokesperson said the company’s security team “is working to determine the facts.” She added that Yahoo advises people to protect their account information by using strong passwords or “give up passwords altogether by using Yahoo Account Key.”
The news that this breached data up for sale comes just a week after Verizon announced it would be acquiring Yahoo for $ 4.83 billion. The transaction is expected to close early next year.
‘Glut’ of Stolen Credentials for Sale
This latest Dark Web offer continues an ongoing “yard sale” of stolen credentials, Christopher Budd, the global threat communications manager at the security firm Trend Micro, told us today.
“There’s been an emerging trend over the past four to six months of [large amounts of data] sold for low, low prices,” Budd said. “It’s reflecting a glut in terms of quantity.” There’s recently been such an oversupply of stolen credentials that prices have not only plateaued, but are now dropping, he said.
While there will likely always be a market for stolen user credentials at some price, more innovative hackers will increasingly turn to higher-value data such as credentials for Uber or onling gaming sites, Budd added. Email credentials will also continue to hold value as they potentially provide identity thieves with access to numerous other user accounts.
Budd noted that people should continue to take practical security precautions for their online accounts, including using two-factor authentication.
Similar Offers for LinkedIn, MySpace Info
In its report yesterday, Motherboard said it had seen a small sample — about 5,000 records — of Peace’s Yahoo data and found that “most of the two dozen Yahoo usernames Motherboard tested did correspond to actual accounts on the service.” However, many of the emails sent to around 100 of those hacked addresses bounced back, indicating those accounts were no longer active.
Earlier this year, Peace offered 117 million LinkedIn user credentials for five bitcoins on a Dark Web marketplace. That information was apparently taken from a 2012 attack that compromised some 167 million LinkedIn accounts.
Around the same time, the hacker also offered to sell around 427 million passwords stolen from MySpace users. That hack apparently occurred in June 2013, according to the hack-tracking site LeakedSource.