Slashdot Mirror
Yahoo's Billion-User Database Reportedly Sold On the Dark Web for Just $300,000 - NYT (thenextweb.com)
An anonymous reader writes: As if 2016 wasn't shitty enough for Yahoo -- which admitted to two separate breaches that saw 500 million users' and then 1 billion users' details stolen by hackers -- the New York Times reports that a billion-user database was sold on the Dark Web last August for $300,000. That's according to Andrew Komarov, chief intelligence office at security firm InfoArmor. He told NYT that three buyers, including two prominent spammers and another who might be involved in espionage tactics purchased the entire database at the aforementioned price from a hacker group believed to based in Eastern Europe. It's lovely to know that it only costs $300,000 to be able to threaten a billion people's online existence -- which means each account is only worth $0.0003 to hackers who can ruin your life online in a matter of minutes. Yahoo also doesn't yet know who made off with all the data from the attack in 2013, which is said to be the largest breach of any company ever.
Now we know why Verizon wants to back out of buying Yahoo.
It's lovely to know that it only costs $300,000 to be able to threaten a billion people's online existence -- which means each account is only worth $0.0003 to hackers who can ruin your life online in a matter of minutes.
I love the smell of hyperbole in the morning.
Would the OP be happier if the database had commanded a much higher price?
I guess to millennials that think their online persona is their 'life'. An inconvenience sure, but saying it will ruin your life is incorrect.
Might be the most profitable thing you've done in a decade or more!
We are writing to inform you about a data security issue that may involve your Yahoo account information. We have taken steps to secure your account and are working closely with law enforcement.
What Happened?
Law enforcement provided Yahoo in November 2016 with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with a broader set of user accounts, including yours. We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.
What Information Was Involved?
The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. Not all of these data elements may have been present for your account. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system we believe was affected.
What We Are Doing
We are taking action to protect our users:
What You Can Do
We encourage you to follow these security recommendations:
Additionally, please consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.
For More Information
For more information about this issue and our security resources, please visit the Yahoo Security Issues FAQs page available at https://yahoo.com/security-upd....
Protecting your information is important to us and we work continuously to strengthen our defenses.
Sincerely,
Bob Lord
Chief Information Security Officer
Yahoo
My eyes reflect the stars and a smile lights up my face.
Maybe we should start thinking about ways to mitigate this kind of thing. If putting all your eggs in one basket and watching it isn't working
then maybe it's better to start thinking about ways to break it up. If instead of having companes like google, yahoo, and facebook with
billions of users, we had hundreds of companies each with a million users apiece then the profit potential is greatly reduced. It still takes
the same amount of work to hack into the system but if you only get 1M accounts then your profit is only $300 instead of $300,000.
It's not a billion people..It's a billion accounts. How many people have more than 1 Yahoo account? Or created one and then never used?
And what data was stolen?
It was "names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers."
So not great but not credit cards at least...And who puts in accurate info for DoB anyway?
How many of these were active users? how many were real names? back in the day, I had 2 or three spam accounts under names like James Bond or Homer Simpson...i know others did too. on top of that I dont know anyone still using yahoo actively...
Or has the NY Times not pinned this one on him? Yet?
Do you mean that Yahoo account I started way back when with the fake personal details just so I could use Yahoo messenger? One one I never use for email? That one?
(Makes me wonder what happened to my ICQ account)
I am Slashdot. Are you Slashdot as well?
Most of those "users" are just throwaway mailboxes. You could probably create a database of the same value by generating random usernames @yahoo.com
They overpaid.
Just wait 'til they sell the trillion mail addresses at mailinator!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Valued at $0.0003 per Yahoo user?
They're over-optimistic.
"Failing Up" is a strategy that's not common to most CEOs, regardless of gender.
Support Right To Repair Legislation.
This seems odd. For one thing, this is a set of creds from 2013; didn't Yahoo! force a password reset in 2014+, after the most recent (admitted) breach? I don't quite see what the value would be in that case, though there might be some password reuse value. For another, that seems like a pretty high price compared to other databases that have been on the market, when valuation is done on a per-account basis...and the other databases are from more recent breaches as well.
For your security, this post has been encrypted with ROT-13, twice.
She didn't get to where she is with sexual favors. She got there the same way men become CEO - she's an incompetent sociopath.
This horse-faced ninny has done enough damage! She's also a woman, what is she doing near technology?
..go down the drain now, huh ?
AT&T uses Yahoo for email accounts, you could login at either site with the same user/password.
I know Yahoo for one thing. Throw away accounts for testing malware and spam sites. I know plenty of people who use them that way, and worked at places with burner phones to handle their great security of requiring a phone number to send/receive text to activate accounts.
Oh Noes! Hackers have burner phone numbers and disposable accounts, most likely housing messages with Malware inside. If the people who paid for these were from a different part of society I'd be concerned that they were ripped off.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
The internet is the new daytime television. The people who were hanging around on it in the 90s are long gone. Now it's people who earn under $40,000 per year and have no ideas, are often on government disability aid for mental health, retired and lonely, drunk basement NEETbeards, etc. They are not worth exploiting because they have no money. Not to mention that especially on Yahoo, most of the data will be fake.
Alternative Right.
When the herd rules us, our leaders are always this bad. Thanks for the laugh however!
Alternative Right.
So there's either a backdoor into the system that is still open, or this is an internal breach, like an employee stealing information to finance his ($300k) retirement?
Alternative Right.
A billion accounts, how many are really valid? How much sifting does somebody have to do? And, when they get something, what can they do with it?
OK, you hack somebody's account, get answers to questions like date of birth, (Mother's maiden name?), so then you 'steal their identity' and do what? I know there are times when it can be a nightmare for somebody, but the real horror stories seem to be when somebody was specifically targeted, like for revenge. Are all those zombie bots out there compromised from this kind of stuff? I don't know.
These are not rhetorical questions. I'd really like to know how bad it is. I see ads that try to be scary about it all, but there have been so many stories about accounts being compromised, and then life goes on that I have to wonder.
In theory, theory and practice are the same; in practice they're different. (Yogi Berra & A. Einstein)
Im not a techie... But even with hashed passwords maybe they got 1bil possible passwords to add to their dictionary.
And if it matches with say another list, say your fb attached to the Yahoo, it could be resold as a package at higher value?
(im guessing here)
This is why hashed passwords should be 'salted,' but I have no idea if they were in this case. You can look that up if you're curious.
Yahoo has been saying from the beginning that these attacks were "state sponsored". But why would a State try to sell the database on the dark web?
Fast Federal Court and I.T.C. updates
hashed passwords (using MD5)
Quite a few years back the Inventor of MD5 said "Don't use MD5 for password hashing."
They word this like they were doing they're job right by using MD5. You need more than a hash to protect passwords.