Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Selling Data For 200 Million Yahoo Users On The Dark Web (softpedia.com)

Posted by BeauHD on from the personal-details dept.

An anonymous reader writes from a report via Softpedia: A listing was published today on TheRealDeal Dark Web marketplace claiming to be offering data on over 200 million Yahoo users, sold by the same hacker that was behind the LinkedIn, Tumblr, MySpace, and VK data dumps. In statements to Softpedia, Yahoo said it was investigating the breach, but based on the seller's reputation, it is very likely the data is authentic. The data is up for sale for 3 Bitcoin (approximately ~$1,800), and based on the sample the hacker provided, the data dump includes details such as usernames, MD5-hashed passwords, and dates of birth for all users. For some records, there is also a backup email address, country of origin, and ZIP code for U.S. users. The hacker, called Peace, has also told Softpedia that he previously made $50,000 from the LinkedIn breach alone, and over $65,000 in total from all breaches.

35 of 65 comments (clear)

  1. that many, huh? by turkeydance · · Score: 1

    Price is Right Rules: closest without going over.

    1. Re: that many, huh? by RCourtney · · Score: 1

      Not sure if they still do this by default, but years ago when we signed up for AT&T DSL, the email boxes they gave used the various AT&T domain names but were (and are still) hosted by Yahoo and are accessable on mail.yahoo.com

    2. Re: that many, huh? by RCourtney · · Score: 1

      My bad - this was suppose to be attached to the comment below re: people still use yahoo???

  2. What? by Anonymous Coward · · Score: 1

    Please pick one:
    1. People still use Yahoo?
    2. Yahoo still exists?
    3. WTF is Yahoo? (Millennial-oriented choice)

    1. Re:What? by mwvdlee · · Score: 5, Funny

      I just think it's nice somebody will be using my account again.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    2. Re:What? by Anonymous Coward · · Score: 1

      Hell, I'd like to be able to get into my account again. Even though I know my password, Yahoo won't let me in unless I follow a confirmation link sent to a deactivated e-mail account. Nice to see that they care enough about security to keep their users out and let hackers in.

    3. Re:What? by Rakarra · · Score: 1

      Hell, I'd like to be able to get into my account again. Even though I know my password, Yahoo won't let me in unless I follow a confirmation link sent to a deactivated e-mail account. Nice to see that they care enough about security to keep their users out and let hackers in.

      Wouldn't this mean that hackers are just as locked out of your account as you are?

    4. Re: What? by wierd_w · · Score: 1

      I use mine as the catch bin for those as shoe sites that demand an email adress before they will cough up a download link for a pice of software I want. It is a raging maelstrom of spam and worse inside that inbox. If the hacker thinks that account will be useful to them, I laugh at the very thought.

      The kinds of people that this hacker would be selling this cache of accounts to are the very ones that necessitated the account's creation. If it werent for the obscessive compulsive greed of certain "content creators", i would have no need for a spam account. When "stopasking@fuckwits.com" doesnt satisfy, because they have doubled down on thier stupid by requiring active validation, they get the festering shithole of the yahoo account.

      No, alologists. I am not the entitled one. The typical free* software i get that requires such measures are themselves advertisements. Things like the free versions of antivirus products. Totally riddled with nags and constant reminders to upgrade to the paid version. They dont actually need to have an email address to support their paid software, because the free version is a constant, privileged, advert platform. The only reason they want it is to spam me harder. Fuck them. For others, like driver downloads (sadly), i have already bought the damn hardware, and support is offered as a compliment of purchase. They have my money, they dont need more via spamlords.

      There really isnt a compelling reason for big companies to demand an email address, that a simple free username and password combo could not provide. (User auth is about the only somewhat compelling reason here, and that is exactly what a username and password do. Without the spam.)

      Corporations are not entitled to "every dollar they can possibly get hold of." I make them waste money, by having an account i never look at, have no intention of ever looking at, which i give them when they get pushy like this. More people should do the same, so they stop being shitlords.

      Again, the hackers can have the spam account. I am sure they have plenty of spam already though.

    5. Re: What? by wierd_w · · Score: 1

      Damped phone. "Shoe sites?" What, does this thing think I am a teenage girl? Wtf?

      Should be "shit sites".

    6. Re:What? by allo · · Score: 1

      Yahoo Mail is still quite popular, because it was one of the good free mailers and had less invite / phone verification bullshit than gmail. Of course google is now dominating, especially because of android.

  3. MDWhat? by cloud.pt · · Score: 4, Insightful

    You gotta be kidding me, they're storing passwords as MD5 hashes... There goes my spam Yahoo mail account. Anyone got good alternatives that aren't Google bound?

    1. Re:MDWhat? by TFlan91 · · Score: 3, Interesting

      I was thinking the same thing... How is the world is a company the size and age of Yahoo still using MD5 to store passwords...

      It takes at most 2/3 hours to setup some type of blowfish hashing scheme.

      Rule #1 when dealing with encryption: someone else has done it before and has done it better. Never rewrite the wheel. (Unless you are an actual expert in the field)

    2. Re:MDWhat? by michelcolman · · Score: 1

      Please tell me they at least salted them?

    3. Re:MDWhat? by michelcolman · · Score: 1

      Well, they didn't rewrite the wheel, did they? They just picked any old wheel they saw lying around, and that just happened to be MD5. And as long as it didn't squeak, they kept using it.

    4. Re:MDWhat? by hcs_$reboot · · Score: 3, Funny

      No, they're actually clear text passwords. Yahoo users just enjoy having 32 random hex chars passwords.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    5. Re:MDWhat? by geekmux · · Score: 5, Insightful

      You gotta be kidding me, they're storing passwords as MD5 hashes... There goes my spam Yahoo mail account. Anyone got good alternatives that aren't Google bound?

      And you're concerned here why exactly?

      Being worried about how to secure your spam hole is kind of like putting a lock on the outhouse door to protect your shit.

      Literally.

    6. Re:MDWhat? by geekmux · · Score: 1

      Please tell me they at least salted them?

      Password salt is apparently only served over fresh ice cream.

      In Hell.

      (I've been asking this same question for over 20 years now, hence the analogy.)

    7. Re:MDWhat? by geekmux · · Score: 1

      The OP may have meant they used it just for signing up to websites since that's one way your email can get sold or stolen by spammers. It doesn't make sense to just have an email setting around just so it can get spam messages without actually using it anywhere.

      Either way, the lock on the outhouse door being akin to this concern still stands.

      You're still worried about shit.

    8. Re:MDWhat? by synapse7 · · Score: 1

      LOL.. where were you the last time this happened and the passwords were CLEAR text and made available for free!!!

    9. Re:MDWhat? by WallyL · · Score: 1

      I like locking the door so nobody walks in on me while I'm in there! Any other time, yeah, no biggie.

    10. Re:MDWhat? by cloud.pt · · Score: 1

      Yeap, that's exactly what I meant, so basically some less important services I sign up to using my yahoo account have now been compromised because someone didn't read the fking RFC memo.

  4. One word: Subsidiaries by ZorinLynx · · Score: 2

    If you use Flickr, that's Yahoo. And Flickr is a pretty good service for photographers.

    That's just one example; these big companies usually own "smaller" sites that you might use without even knowing it's the big company behind the scenes.

    1. Re:One word: Subsidiaries by 93+Escort+Wagon · · Score: 1

      Actually, like a lot of huge companies buying other companies - Yahoo seemed to have done it's darnedest to ruin Flickr for photographers after purchasing it.

      --
      #DeleteChrome
    2. Re:One word: Subsidiaries by orgelspieler · · Score: 1

      I am not alone in this. Once Yahoo! bought Flickr, it immediately ceased being an interesting site for budding photographers to learn about what was then a fairly new medium. It had been a vibrant community of like-minded hobbyists trying to improve their craft. As soon as Yahoo! bought it, it because a Shutterfly / Facebook / Chive wannabe, and almost everybody in my circles abandoned it. Some went to DiviantArt, some tried Picasa, but a lot of us just stopped sharing photos publicly. It was sad: I had a lot of good photos on there, and learned a lot. I still visit from time to time to see if any of my old acquaintances post anything interesting. But basically if it's not HDR or other overly-processed tripe it doesn't make the front page anymore.

    3. Re:One word: Subsidiaries by orgelspieler · · Score: 1

      They absolutely did. It was one of the saddest parts of my life. I basically gave up photography because of it. At least I have more time for my music now...

  5. Re:200m users by hcs_$reboot · · Score: 1

    Well, after removing duplicates, unused and fake accounts (took time to have captcha at the beginning) you get 2k valid accounts. So the rating seems quite right.

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  6. Lol, MySpace passwords by JustAnotherOldGuy · · Score: 1, Funny

    He should pay people to take the MySpace passwords.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  7. Re:200m users by ArchieBunker · · Score: 1

    No you start cross checking other sites for the same login and password.

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  8. Re:200 million user accounts... by toonces33 · · Score: 1

    Mine is used mainly for lame websites that want to force you to register, but I never read the email sent there. At one time I had somewhat important stuff there, but I switched things over some time back for those things I do care about.

    As it was I had a fairly strong random password with SMS 2FA set up. And I just changed it to and even stronger random password (longer).

    But if I lost the account somehow it would barely be classified as a nuisance. I would just create another somewhere or another and move on..

  9. Does this mean... by __aaclcg7560 · · Score: 1

    I'll need to change my password for Yahoo Mail for the first time in 20+ years?

  10. In other news, by wbr1 · · Score: 1

    The hacker may make more from the sale of the passwords than Yahoo sold to Verizon for.

    --
    Silence is a state of mime.
  11. Data from 2012 by Anonymous Coward · · Score: 1

    The article said it looked like this info was stolen in 2012. I would hope that Yahoo isn't still using MD5 fours years later but you never know. At the very least, this will provide another nice rich library to use to use for same account/password attacks and add to dictionary attacks.

  12. Brilliant Hacker != Good Businessperson by speedplane · · Score: 1

    This hacker was able to break into the security of LinkedIn, Tumblr, MySpace, and now Yahoo, and has only made a measly $65k? He or she could easily get triple that in less time by working for a reputable IT security company.

    --
    Fast Federal Court and I.T.C. updates
  13. Too far by malditaenvidia · · Score: 1

    It's especially heinous to bully senior citizens online, even for a black hat.

  14. Another Day, Another Hack... by mschwanke97402 · · Score: 1

    Our account data seems to available for the asking. Why do we even bother with having a password anymore?