Those of you with a Yahoo account may want to reset your password, as the hacker behind the recent MySpace and LinkedIn data dumps is claiming that he has the details of 200 million Yahoo accounts. He’s ready to sell too, posting the lot on the dark web with an asking price of three bitcoins, which amounts to around $1,800.
Motherboard spoke to the hacker, who goes by the name of Peace, and managed to get its hands on a sample of the data. The supposedly stolen data contains information such as usernames, passwords, birthdays, and backup emails in some cases. The passwords that were taken are hashed, but they’re using the MD5 algorithm, which isn’t exactly the most secure algorithm out there. In fact, MD5 suffers from a rather extensive list of vulnerabilities, so the fact that these passwords are hashed may not mean much in the grand scheme of things.
Motherboard tested some of the emails in its sampling of the hacked user data, but says that many of the 100 email addresses it attempted to contact bounced back with undelivered errors. The website also tested around two dozen Yahoo usernames, but in many cases was told that those accounts don’t exist, suggesting that this data is old and at least somewhat outdated. Peace says that the information is likely from 2012, but the fact that some of these accounts no longer exist doesn’t necessarily mean former Yahoo users shouldn’t take action to secure their other accounts around the web.
Yahoo, for its part, says that it’s aware of Peace’s claims and is investing whether or not a data breach took place, while at the same time trotting out the old, tired line we always hear whenever some hacker claims to make off with an obscene amount of user data: “We are committed to protecting the security of our users’ information and we take any such claim very seriously.” We’ll see what Yahoo has to say once it has completed its investigation, but it’s probably best not to wait for confirmation of a breach before resetting your passwords.