Data of some 200 million Yahoo users has been offered for sale on the TheRealDeal dark web market by “peace_of_mind” (aka “Peace”).
Even though Yahoo is yet to confirm whether the batch actually contains their users’ data, chances are good that it does, as Peace has been selling huge batches of user data stolen from VK, Tumblr, iMesh and other online services, and those have been the real deal.
This batch is being sold for 3 bitcoins (a little over $1,860), and apparently contains the username, MD5-hashed password, and date of birth of some 200 million users, and backup email addresses, country and ZIP code of US users.
The MD5-hashed passwords might as well be in plain text, as MD5 hashes are easily “breakable.”
Peace told Catalin Cimpanu that the Yahoo data he is selling dates back to 2012, which is not surprising, as previous batches he sold were also from old breaches.
How many of the accounts will still be active is anyone’s guess. Motherboard tested a small sample of the data, and found that many of the email addresses of the users they tried to contact were abandoned.
Also, Peace told them that before putting the data publicly on sale, he traded it privately for a while.
This batch and previous ones he sold (LinkedIn, Tumblr, etc.) were apparently all dumped by a “Russian group” in 2012, and he simply took advantage of this. Peace says he has earned $65,000 from selling these batches.
Yahoo is currently investigating whether the data on sale belongs to them.
“Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms,” they noted.