Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Selling Data For 200 Million Yahoo Users On The Dark Web (softpedia.com)

Posted by BeauHD on from the personal-details dept.

An anonymous reader writes from a report via Softpedia: A listing was published today on TheRealDeal Dark Web marketplace claiming to be offering data on over 200 million Yahoo users, sold by the same hacker that was behind the LinkedIn, Tumblr, MySpace, and VK data dumps. In statements to Softpedia, Yahoo said it was investigating the breach, but based on the seller's reputation, it is very likely the data is authentic. The data is up for sale for 3 Bitcoin (approximately ~$1,800), and based on the sample the hacker provided, the data dump includes details such as usernames, MD5-hashed passwords, and dates of birth for all users. For some records, there is also a backup email address, country of origin, and ZIP code for U.S. users. The hacker, called Peace, has also told Softpedia that he previously made $50,000 from the LinkedIn breach alone, and over $65,000 in total from all breaches.

65 comments

  1. that many, huh? by turkeydance · · Score: 1

    Price is Right Rules: closest without going over.

    1. Re: that many, huh? by RCourtney · · Score: 1

      Not sure if they still do this by default, but years ago when we signed up for AT&T DSL, the email boxes they gave used the various AT&T domain names but were (and are still) hosted by Yahoo and are accessable on mail.yahoo.com

    2. Re: that many, huh? by RCourtney · · Score: 1

      My bad - this was suppose to be attached to the comment below re: people still use yahoo???

  2. What? by Anonymous Coward · · Score: 1

    Please pick one:
    1. People still use Yahoo?
    2. Yahoo still exists?
    3. WTF is Yahoo? (Millennial-oriented choice)

    1. Re:What? by mwvdlee · · Score: 5, Funny

      I just think it's nice somebody will be using my account again.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    2. Re:What? by Anonymous Coward · · Score: 1

      Hell, I'd like to be able to get into my account again. Even though I know my password, Yahoo won't let me in unless I follow a confirmation link sent to a deactivated e-mail account. Nice to see that they care enough about security to keep their users out and let hackers in.

    3. Re:What? by Anonymous Coward · · Score: 0

      I still use Yahoo! mail as my primary email address. *shrugs*

      Never liked Google's "conversation" views for emails....I mean it's email, nothing special...yahoo works.

      Now to change my password just in case...

    4. Re:What? by Anonymous Coward · · Score: 0

      Hey, it makes a nice dumping ground for all of my spam and low level registration emails (one off online shopping, social media websites, etc.).

    5. Re: What? by Anonymous Coward · · Score: 0

      Ditto - me too.

    6. Re:What? by Rakarra · · Score: 1

      Hell, I'd like to be able to get into my account again. Even though I know my password, Yahoo won't let me in unless I follow a confirmation link sent to a deactivated e-mail account. Nice to see that they care enough about security to keep their users out and let hackers in.

      Wouldn't this mean that hackers are just as locked out of your account as you are?

    7. Re: What? by wierd_w · · Score: 1

      I use mine as the catch bin for those as shoe sites that demand an email adress before they will cough up a download link for a pice of software I want. It is a raging maelstrom of spam and worse inside that inbox. If the hacker thinks that account will be useful to them, I laugh at the very thought.

      The kinds of people that this hacker would be selling this cache of accounts to are the very ones that necessitated the account's creation. If it werent for the obscessive compulsive greed of certain "content creators", i would have no need for a spam account. When "stopasking@fuckwits.com" doesnt satisfy, because they have doubled down on thier stupid by requiring active validation, they get the festering shithole of the yahoo account.

      No, alologists. I am not the entitled one. The typical free* software i get that requires such measures are themselves advertisements. Things like the free versions of antivirus products. Totally riddled with nags and constant reminders to upgrade to the paid version. They dont actually need to have an email address to support their paid software, because the free version is a constant, privileged, advert platform. The only reason they want it is to spam me harder. Fuck them. For others, like driver downloads (sadly), i have already bought the damn hardware, and support is offered as a compliment of purchase. They have my money, they dont need more via spamlords.

      There really isnt a compelling reason for big companies to demand an email address, that a simple free username and password combo could not provide. (User auth is about the only somewhat compelling reason here, and that is exactly what a username and password do. Without the spam.)

      Corporations are not entitled to "every dollar they can possibly get hold of." I make them waste money, by having an account i never look at, have no intention of ever looking at, which i give them when they get pushy like this. More people should do the same, so they stop being shitlords.

      Again, the hackers can have the spam account. I am sure they have plenty of spam already though.

    8. Re: What? by wierd_w · · Score: 1

      Damped phone. "Shoe sites?" What, does this thing think I am a teenage girl? Wtf?

      Should be "shit sites".

    9. Re: What? by Anonymous Coward · · Score: 0

      Ya, me too, i have had my acct for like 20 years, people know the account- it's like a phone number, chancing

    10. Re:What? by allo · · Score: 1

      Yahoo Mail is still quite popular, because it was one of the good free mailers and had less invite / phone verification bullshit than gmail. Of course google is now dominating, especially because of android.

  3. MDWhat? by cloud.pt · · Score: 4, Insightful

    You gotta be kidding me, they're storing passwords as MD5 hashes... There goes my spam Yahoo mail account. Anyone got good alternatives that aren't Google bound?

    1. Re:MDWhat? by TFlan91 · · Score: 3, Interesting

      I was thinking the same thing... How is the world is a company the size and age of Yahoo still using MD5 to store passwords...

      It takes at most 2/3 hours to setup some type of blowfish hashing scheme.

      Rule #1 when dealing with encryption: someone else has done it before and has done it better. Never rewrite the wheel. (Unless you are an actual expert in the field)

    2. Re:MDWhat? by michelcolman · · Score: 1

      Please tell me they at least salted them?

    3. Re:MDWhat? by Anonymous Coward · · Score: 0

      Pepper. The recipe calls for more pepper.

    4. Re:MDWhat? by michelcolman · · Score: 1

      Well, they didn't rewrite the wheel, did they? They just picked any old wheel they saw lying around, and that just happened to be MD5. And as long as it didn't squeak, they kept using it.

    5. Re:MDWhat? by Anonymous Coward · · Score: 0

      Yes. Get a brain and set up your own server.

    6. Re: MDWhat? by Anonymous Coward · · Score: 0

      Blowfish is a cypher, not a hashing algorithm. Hashes don't encrypt, they mangle in a way that you can't "undo" the hashing. Cyphers give you an encrypted version that you can decrypt if you've got the key. You should never encrypt passwords, you should hash them.

    7. Re:MDWhat? by hcs_$reboot · · Score: 3, Funny

      No, they're actually clear text passwords. Yahoo users just enjoy having 32 random hex chars passwords.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    8. Re:MDWhat? by geekmux · · Score: 5, Insightful

      You gotta be kidding me, they're storing passwords as MD5 hashes... There goes my spam Yahoo mail account. Anyone got good alternatives that aren't Google bound?

      And you're concerned here why exactly?

      Being worried about how to secure your spam hole is kind of like putting a lock on the outhouse door to protect your shit.

      Literally.

    9. Re:MDWhat? by geekmux · · Score: 1

      Please tell me they at least salted them?

      Password salt is apparently only served over fresh ice cream.

      In Hell.

      (I've been asking this same question for over 20 years now, hence the analogy.)

    10. Re:MDWhat? by Anonymous Coward · · Score: 0

      And have your mail automatically junked by large service providers?

    11. Re:MDWhat? by Anonymous Coward · · Score: 0

      The OP may have meant they used it just for signing up to websites since that's one way your email can get sold or stolen by spammers. It doesn't make sense to just have an email setting around just so it can get spam messages without actually using it anywhere.

    12. Re: MDWhat? by Anonymous Coward · · Score: 0

      Yes, it is a cipher, but it can be used to create hashes.

    13. Re:MDWhat? by geekmux · · Score: 1

      The OP may have meant they used it just for signing up to websites since that's one way your email can get sold or stolen by spammers. It doesn't make sense to just have an email setting around just so it can get spam messages without actually using it anywhere.

      Either way, the lock on the outhouse door being akin to this concern still stands.

      You're still worried about shit.

    14. Re: MDWhat? by Anonymous Coward · · Score: 0

      Like Hillary or the DNC?

    15. Re:MDWhat? by Anonymous Coward · · Score: 0


      You're still worried about shit.

      Not really. It's pretty common to have an email dump you don't really care about reading on a regular basis, but still need because so many retailers require an account to just buy something. Sometimes those accounts have credit card information stored on file. The email address can commonly be used to reset your password, so getting into these accounts could potentially be bad.

      So you may not often, or even ever have to login to yahoo, but if an attacker could, they could do some amount of damage.

    16. Re:MDWhat? by Anonymous Coward · · Score: 0

      the lock on the outhouse door being akin to this concern still stands.

      The lock isn't there to protect the shit, it's there to protect the Amazon catalog you browse while you're shitting.

    17. Re:MDWhat? by synapse7 · · Score: 1

      LOL.. where were you the last time this happened and the passwords were CLEAR text and made available for free!!!

    18. Re:MDWhat? by WallyL · · Score: 1

      I like locking the door so nobody walks in on me while I'm in there! Any other time, yeah, no biggie.

    19. Re:MDWhat? by Anonymous Coward · · Score: 0

      This is not GP, independent thinker here.

      I agree, you're still worried about shit. Perhaps you have some kind of fecal fetish?

    20. Re:MDWhat? by Anonymous Coward · · Score: 0

      SPF 80

    21. Re: MDWhat? by Anonymous Coward · · Score: 0

      And yet you re-made up the re-invent the wheel saying.

    22. Re:MDWhat? by cloud.pt · · Score: 1

      Yeap, that's exactly what I meant, so basically some less important services I sign up to using my yahoo account have now been compromised because someone didn't read the fking RFC memo.

  4. 200m users by silas_moeckel · · Score: 0

    Worth less than 2k well they are yahoo users, so thats mostly peoples grandma's?

    --
    No sir I dont like it.
    1. Re:200m users by hcs_$reboot · · Score: 1

      Well, after removing duplicates, unused and fake accounts (took time to have captcha at the beginning) you get 2k valid accounts. So the rating seems quite right.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    2. Re:200m users by ArchieBunker · · Score: 1

      No you start cross checking other sites for the same login and password.

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
  5. One word: Subsidiaries by ZorinLynx · · Score: 2

    If you use Flickr, that's Yahoo. And Flickr is a pretty good service for photographers.

    That's just one example; these big companies usually own "smaller" sites that you might use without even knowing it's the big company behind the scenes.

    1. Re:One word: Subsidiaries by 93+Escort+Wagon · · Score: 1

      Actually, like a lot of huge companies buying other companies - Yahoo seemed to have done it's darnedest to ruin Flickr for photographers after purchasing it.

      --
      #DeleteChrome
    2. Re:One word: Subsidiaries by orgelspieler · · Score: 1

      I am not alone in this. Once Yahoo! bought Flickr, it immediately ceased being an interesting site for budding photographers to learn about what was then a fairly new medium. It had been a vibrant community of like-minded hobbyists trying to improve their craft. As soon as Yahoo! bought it, it because a Shutterfly / Facebook / Chive wannabe, and almost everybody in my circles abandoned it. Some went to DiviantArt, some tried Picasa, but a lot of us just stopped sharing photos publicly. It was sad: I had a lot of good photos on there, and learned a lot. I still visit from time to time to see if any of my old acquaintances post anything interesting. But basically if it's not HDR or other overly-processed tripe it doesn't make the front page anymore.

    3. Re:One word: Subsidiaries by orgelspieler · · Score: 1

      They absolutely did. It was one of the saddest parts of my life. I basically gave up photography because of it. At least I have more time for my music now...

    4. Re:One word: Subsidiaries by Anonymous Coward · · Score: 0

      DeviantArt

  6. Not much money by Anonymous Coward · · Score: 0

    If his/her skills are really THAT good, they'd easily be making north of $250k/year.

    1. Re:Not much money by Anonymous Coward · · Score: 0

      If his/her skills are really THAT good, they'd easily be making north of $250k/year.

      Until he or she can demonstrate their actual skills beyond selling shit online, this "hacker" is nothing more than a salesman.

  7. Lol, MySpace passwords by JustAnotherOldGuy · · Score: 1, Funny

    He should pay people to take the MySpace passwords.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  8. Yahoo Mail asking me to change my password by Anonymous Coward · · Score: 0

    Yahoo Mail has started asking me to change my password. This has literally never happened before and I've used Yahoo Mail for over 15 years (Geocities account).

  9. Re:200 million user accounts... by toonces33 · · Score: 1

    Mine is used mainly for lame websites that want to force you to register, but I never read the email sent there. At one time I had somewhat important stuff there, but I switched things over some time back for those things I do care about.

    As it was I had a fairly strong random password with SMS 2FA set up. And I just changed it to and even stronger random password (longer).

    But if I lost the account somehow it would barely be classified as a nuisance. I would just create another somewhere or another and move on..

  10. I knew Yahoo was a mistake by Anonymous Coward · · Score: 0

    I made a throwaway email on yahoo that I use on facebook.

    I don't even remember the password to that email account. Not good.

  11. Score! by Anonymous Coward · · Score: 0

    Marissa Mayer has a term in her contract that if this happens she gets another $6M bonus. Go Marissa!

    1. Re: Score! by Anonymous Coward · · Score: 0

      That would not surprise me. Who thought hiring her was a good idea? Dumber than the hiring of Jack Dorsey.

  12. Does this mean... by __aaclcg7560 · · Score: 1

    I'll need to change my password for Yahoo Mail for the first time in 20+ years?

  13. In other news, by wbr1 · · Score: 1

    The hacker may make more from the sale of the passwords than Yahoo sold to Verizon for.

    --
    Silence is a state of mime.
  14. Data from 2012 by Anonymous Coward · · Score: 1

    The article said it looked like this info was stolen in 2012. I would hope that Yahoo isn't still using MD5 fours years later but you never know. At the very least, this will provide another nice rich library to use to use for same account/password attacks and add to dictionary attacks.

  15. Brilliant Hacker != Good Businessperson by speedplane · · Score: 1

    This hacker was able to break into the security of LinkedIn, Tumblr, MySpace, and now Yahoo, and has only made a measly $65k? He or she could easily get triple that in less time by working for a reputable IT security company.

    --
    Fast Federal Court and I.T.C. updates
  16. PUTINNNNN!!!!!!!! by Anonymous Coward · · Score: 0

    (shakes fist)

  17. Too far by malditaenvidia · · Score: 1

    It's especially heinous to bully senior citizens online, even for a black hat.

  18. Another Day, Another Hack... by mschwanke97402 · · Score: 1

    Our account data seems to available for the asking. Why do we even bother with having a password anymore?

  19. For the record by Anonymous Coward · · Score: 0

    If you buy my Yahoo user information, you may be disappointed to find out that my date of birth is not actually 4/20/69 and that my real name isn't even Rod Stiffington.

  20. This story is FUD by Anonymous Coward · · Score: 0

    Instead of saying possible breach at Yahoo, change your password.. this story says all this bullshit about your data being for sale on the darkest of dark illegal crime super duper absolutely outrageously dangerous fucking crime web.

    If some cunt sold passwords change your password. TOR is not some big dark shit. It is just encrypted. For an example of why people use it, just use the regular everyday "clear web". You are nearly 100 percent tracked profiled and monitored by the US government.

    Why would anybody like to not be tracked? Because the cunts who setup the surveillance on the clear web are the ones Ed Snowden showed the world that they are in fact devious cunts. So use fucking TOR mother fuckers stop being stupid.