A hacker responsible for dumping hundreds of millions of MySpace, LinkedIn and other credentials online in recent months has now reportedly put up for sale 200 million Yahoo log-ins.
The individual, known as “Peace,” is selling the same combination of usernames, passwords hashed with the md5 algorithm, dates of birth, and in some cases email addresses.
The data is being sold on the same underground marketplace, TheRealDeal, for three Bitcoin ($1800), although it’s unclear whether all of the credentials are up-to-date or how they were obtained.
In fact, Peace has noted that they are most likely from 2012, and further investigation by Vice Motherboard revealed that some were no longer connected to a functioning account.
Yahoo has released a statement saying it is “aware” of the incident, although the firm has yet to initiate a user-wide password reset.
It added:
“We are committed to protecting the security of our users’ information and we take any such claim very seriously. Our security team is working to determine the facts. Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms.”
Kevin Cunningham, president of identity firm SailPoint, argued that many organizations are still failing on password management.
“The most obvious and simple measures are still being overlooked,” he added.
“Often, business users are simply unaware of the potential dangers, which will only get worse as we continue to adopt applications … across the organization at the rate we have been over the last couple of years, especially without any control or oversight from IT.”?
Peace has claimed responsibility for a spate of similar data dumps, including MySpace (360m), Tumblr (65m), LinkedIn (167m), and Fling (40m) – although like this one, there are suggestions that the credentials date from a few years back.