200 million Yahoo passwords being sold on the dark web?

Joseph Cox at Motherboard writes:

A notorious cybercriminal is advertising 200 million of alleged Yahoo user credentials on the dark web, and the company has said it is “aware” of the hacker’s claims, but has not confirmed nor denied the legitimacy of the data.

On Monday, the hacker known as Peace, who has previously sold dumps of Myspace and LinkedIn, listed supposed credentials of Yahoo users on The Real Deal marketplace. Peace told Motherboard that he has been trading the data privately for some time, but only now decided to sell it openly.

When a hacker advertises a huge horde of login details for sale there are often more questions than answers:

  • How many (if any) of the credentials are legitimate? There may be 200 million-or-so being sold, but that doesn’t mean you’ll be able to break into 200 million accounts.
  • What is the origin of the data? Has the data been collected through phishing attacks? Or Has the data been collated from the mega breach of another online service (like LinkedIn or MySpace), and just evidence that yet again folks have made the mistake of reusing passwords?
  • Are the credentials for current accounts or for old, stale accounts that may have been closed down or had their passwords changed long ago?
  • Is there any evidence of a security breach at Yahoo that could have resulted in login credentials spilling out? (This would be most worrying, but thankfully seems least likely)

Not all of these questions are necessarily easy to answer with absolute certainty.

But what is clear is that your Yahoo account will be a lot safer if you have enabled two-step verification and have learnt to never reuse passwords.

If you’re not being sensible about your online security, take appropriate steps now to harden your Yahoo account. Because even if this current scare ends up not impacting your account, there is always the danger that you could become a victim in the future.

Graham Cluley