Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo's Billion-User Database Reportedly Sold On the Dark Web for Just $300,000 - NYT (thenextweb.com)

Posted by msmash on from the security-woes dept.

An anonymous reader writes: As if 2016 wasn't shitty enough for Yahoo -- which admitted to two separate breaches that saw 500 million users' and then 1 billion users' details stolen by hackers -- the New York Times reports that a billion-user database was sold on the Dark Web last August for $300,000. That's according to Andrew Komarov, chief intelligence office at security firm InfoArmor. He told NYT that three buyers, including two prominent spammers and another who might be involved in espionage tactics purchased the entire database at the aforementioned price from a hacker group believed to based in Eastern Europe. It's lovely to know that it only costs $300,000 to be able to threaten a billion people's online existence -- which means each account is only worth $0.0003 to hackers who can ruin your life online in a matter of minutes. Yahoo also doesn't yet know who made off with all the data from the attack in 2013, which is said to be the largest breach of any company ever.

19 of 71 comments (clear)

  1. Hmm by tsqr · · Score: 4, Insightful

    It's lovely to know that it only costs $300,000 to be able to threaten a billion people's online existence -- which means each account is only worth $0.0003 to hackers who can ruin your life online in a matter of minutes.

    I love the smell of hyperbole in the morning.

    Would the OP be happier if the database had commanded a much higher price?

    1. Re:Hmm by gnick · · Score: 4, Funny

      Even if I had a Yahoo account, I can't imaging using it for anything that would "ruin my life." It's Yahoo, not Ashley-Madison.

      --
      He's getting rather old, but he's a good mouse.
    2. Re:Hmm by liquid_schwartz · · Score: 2

      a higher price which would only incentivize hackers more in the future.

      Whereas the hackers found dead in a pool of blood with obvious signs of torture would only disincentivize future hackers. I'm rooting for that option.

  2. Good Job Yahoo by bfpierce · · Score: 5, Funny

    Might be the most profitable thing you've done in a decade or more!

  3. Just received this from Yahoo! yesterday by The-Ixian · · Score: 4, Informative

    We are writing to inform you about a data security issue that may involve your Yahoo account information. We have taken steps to secure your account and are working closely with law enforcement.

    What Happened?

    Law enforcement provided Yahoo in November 2016 with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with a broader set of user accounts, including yours. We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.

    What Information Was Involved?

    The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. Not all of these data elements may have been present for your account. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system we believe was affected.

    What We Are Doing

    We are taking action to protect our users:

    • We are requiring potentially affected users to change their passwords.
    • We invalidated unencrypted security questions and answers so that they cannot be used to access an account.
    • We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts.

    What You Can Do

    We encourage you to follow these security recommendations:

    • Change your passwords and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.
    • Review all of your accounts for suspicious activity.
    • Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
    • Avoid clicking on links or downloading attachments from suspicious emails.

    Additionally, please consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.

    For More Information

    For more information about this issue and our security resources, please visit the Yahoo Security Issues FAQs page available at https://yahoo.com/security-upd....

      Protecting your information is important to us and we work continuously to strengthen our defenses.

      Sincerely,

      Bob Lord
      Chief Information Security Officer
      Yahoo

    --
    My eyes reflect the stars and a smile lights up my face.
    1. Re:Just received this from Yahoo! yesterday by rickyslashdot · · Score: 3, Insightful

      YAAAAHOOOOO ! Our sales reps and corporate execs just made their annual bonus by participating (willing or not) in delivering 1/10th of the world's population's data info to black / grey market re-sellers. What a wonderful system we live in where this can happen with no individuals anywhere in the corporate hierarchy being held criminally culpable - or even accountable - for this data theft that is only now __THREE_YEARS_AFTER_THE_FACT__ being released to the public.

      MY OPINION - but this type of 'data breach' is becoming all too common, and will continue to happen while the 'protectors' of this data (the corporations, their management, and data-protection staff) are allowed to skate without any real penalties.

      Hell, the recording industry has managed to 'criminalize', at the felony level, simple civil theft of data-transfer and is actually forcing the service providers and the government to be their policing agencies, but corporate data-loss / data-theft like this that can have real economic impact on millions of peoples lives is still dealt with under simple fines and penalties.

      Oh, well, at least I don't have to worry, since I don't play the game with all the IM / FRIENDS / data-sharing programs running at the top of the centennial's 'have to have' internet connections.

      --
      redneck geek
    2. Re:Just received this from Yahoo! yesterday by fisted · · Score: 3, Funny

      hashed passwords

      Nice! I honestly was expecting plaintext passwords. But hashed! Companies are learning!

      (using MD5)

      Oh, wait.

      the stolen information did not include passwords in clear text

      ayy, until you google the hash.

      --
      CLI paste? paste.pr0.tips!
    3. Re:Just received this from Yahoo! yesterday by fisted · · Score: 2

      Your search - 36a7d045d7b15123b79602889074cb16 - did not match any documents.

      Not anymore.

      That said, my search - 2ab96390c7dbe3439de74d0c9b0b1767 - did match some pertinent documents.
      And <wild guess>you might have accidentally digested a trailing newline from echo(1) along with your data.</wild guess>

      That said, googling the hash is the lazy approach. If you're serious about it, download a rainbow table. Every 8-letter combination of printable ASCII chars in there, fits on a 2TB disk (stored as a plain key-value lookup table, that's 156878 TB worth of data).

      I'd say Joe Luser rarely picks passwords longer than 8 chars. And I don't suppose you're going to tell me that yahoo bothered to salt their md5 hashes...

      So overall you can consider the vast majority of those passwords to be compromised. Naturally, they'll find their way into much smaller, real-world-passwords lookup tables...

      --
      CLI paste? paste.pr0.tips!
  4. Too big to fail by Wycliffe · · Score: 2

    Maybe we should start thinking about ways to mitigate this kind of thing. If putting all your eggs in one basket and watching it isn't working
    then maybe it's better to start thinking about ways to break it up. If instead of having companes like google, yahoo, and facebook with
    billions of users, we had hundreds of companies each with a million users apiece then the profit potential is greatly reduced. It still takes
    the same amount of work to hack into the system but if you only get 1M accounts then your profit is only $300 instead of $300,000.

    1. Re:Too big to fail by houstonbofh · · Score: 2

      Maybe we should start thinking about ways to mitigate this kind of thing. If putting all your eggs in one basket and watching it isn't working then maybe it's better to start thinking about ways to break it up. If instead of having companes like google, yahoo, and facebook with billions of users, we had hundreds of companies each with a million users apiece then the profit potential is greatly reduced. It still takes the same amount of work to hack into the system but if you only get 1M accounts then your profit is only $300 instead of $300,000.

      I would love to have federated social networking the way e-mail works now! Think of how much better the UI (Timeline, home page, whatever...) would be when moving did not mean losing your friends!

    2. Re:Too big to fail by omnichad · · Score: 2

      I would love to have federated social networking the way e-mail works now! Think of how much better the UI (Timeline, home page, whatever...) would be when moving did not mean losing your friends!

      This was sort of what Google Wave was supposed to be. The execution was so bad (so incredibly messy) that it will never be tried again.

  5. Re:Ruin your life? by Anonymous Coward · · Score: 2, Funny

    Are you kidding me? If someone knew I had a Yahoo account, I'd have to jump off a bridge from embarrassment.

  6. Ruin my life? by OzPeter · · Score: 2

    Do you mean that Yahoo account I started way back when with the fake personal details just so I could use Yahoo messenger? One one I never use for email? That one?

    (Makes me wonder what happened to my ICQ account)

    --
    I am Slashdot. Are you Slashdot as well?
  7. 300k for a billion addresses? Pah! by Opportunist · · Score: 3, Funny

    Just wait 'til they sell the trillion mail addresses at mailinator!

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  8. Re:It's not a billion people... by omnichad · · Score: 3, Informative

    who puts in accurate info for DoB anyway

    Just about everyone who is over 18 and doesn't have a place to keep a copy of all the fake information for account recovery.

  9. Re:So what about the blond CEO.... by omnichad · · Score: 5, Insightful

    She didn't get to where she is with sexual favors. She got there the same way men become CEO - she's an incompetent sociopath.

  10. Re:Ruin your life? by Anonymous Coward · · Score: 2, Funny

    Are you kidding me? If someone knew I had a Yahoo account, I'd have to jump off a bridge from embarrassment.

    Sent from my AOL account.

  11. No kidding by s.petry · · Score: 2

    I know Yahoo for one thing. Throw away accounts for testing malware and spam sites. I know plenty of people who use them that way, and worked at places with burner phones to handle their great security of requiring a phone number to send/receive text to activate accounts.

    Oh Noes! Hackers have burner phone numbers and disposable accounts, most likely housing messages with Malware inside. If the people who paid for these were from a different part of society I'd be concerned that they were ripped off.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  12. Whoops by alternative_right · · Score: 4, Interesting

    We have not been able to identify the intrusion associated with this theft.

    So there's either a backdoor into the system that is still open, or this is an internal breach, like an employee stealing information to finance his ($300k) retirement?

    --
    Alternative Right.