Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Going! going! pwned? 200! million! Yahoo! logins! leaked! allegedly!

Legit or not, they're on sale on the dark web

Updated What's claimed to be the login credentials for 200 million Yahoo! accounts is now on sale through a dark web cybercrime shack.

The purported user database dump is being touted by someone called Peace – as in peace_of_mind, the same miscreant who previously sold LinkedIn and Yahoo-owned Tumblr logins – at an asking price of 3 Bitcoins (or around $1,860) per copy. The provenance and authenticity of the purloined data is unclear.

El Reg asked Yahoo! for comment on the authenticity of the dump, as well as asking what advice it had for its users, but we've yet to hear back. We’ll update this story as and when we hear more.

The swiped account information reportedly includes usernames, easily cracked MD5-hashed passwords and the dates of birth of 200 million Yahoo! users. Some "backup email addresses" as well as the ZIP codes of supposed US users also appear in the dump, Hacker News reports.

Motherboard said it had tested a small sample of leaked dataset and found many pointed to abandoned accounts. According to Peace, the leaked info dates from 2012.

James Romer, chief security architect Europe at SecureAuth, characterised the Yahoo! dump as the latest in a growing catalogue.

“This year has seen a huge number of compromised user credential breaches from big companies,” Romer said. “Last week it was O2, this week the alleged credentials belong to customers of Yahoo. But LinkendIn, Twitter and the National Childbirth Trust have all appeared on the 2016 hit list.

“It’s estimated that around 60 per cent of fraudulent cybercrimes are committed using stolen credentials, and we say time and again: having a simple password and username login process is just not enough with the advances in cybercrime and the increasing value of personal data.” ®

Updated to add

“We are aware of a claim," a Yahoo! spokesman told us after publication.

"We are committed to protecting the security of our users’ information and we take any such claim very seriously. Our security team is working to determine the facts. Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms.”

Similar topics

TIP US OFF

Send us news


Other stories you might like