A hacker responsible for breaches of both LinkedIn and MySpace, has reportedly stolen 200 million login credentials for Yahoo accounts. The hacker goes by the name peace_of_mind and claims to have also stolen credentials for Tumblr as well. He is selling the Yahoo information on the darknet in a marketplace called TheRealDeal, where for 3 bitcoins, or US $1,824 anyone can buy them. Motherboard reported that a Yahoo spokesperson told them that the company was aware of the credentials being stolen online, but did not confirm whether Yahoo itself had been hacked in order to obtain the login credentials.
In a statement to Motherboard Yahoo states,
“We are committed to protecting the security of our users’ information and we take any such claim very seriously,” a Yahoo spokesperson said. “Our security team is working to determine the facts.”
The biggest oddity of the news appears to be the credibility of the login credentials. Many of the accounts appear to be disabled or otherwise inactive when Motherboard attempted to test 100 of the posted email addresses, most came back “undeliverable”. When Motherboard contacted peace_of_mind posting on TheRealDeal, he explained most of the stolen credentials were from 2012. Peace_of_mind has posted a sample of the stolen Yahoo database, including passwords and email addresses that have been hacked using the MD5 algorithm.
As many may remember, this is not the first time Yahoo has been put in a bad spot due to a security breach. In 2012 a breach exposed 453,000 passwords while in 2014 a breach involved what the company called a “coordinated effort” to gain access to Yahoo email accounts. In May of this year the United States House of Representative blocked Yahoo access on it’s network due to concern that the company was a target for hackers. Rightfully so apparently.
The company told PCmag in a statement,
“[Yahoo] works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms.”
Regardless of whether or not Yahoo confirms the breach, users should most certainly change there credentials, and in my own opinion, jump ship to Gmail.