200 million Yahoo passwords being sold on the dark web?

Graham Cluley

Dark web yahoo thumb

200 million Yahoo passwords being sold on the dark web?

Joseph Cox at Motherboard writes:

A notorious cybercriminal is advertising 200 million of alleged Yahoo user credentials on the dark web, and the company has said it is “aware” of the hacker’s claims, but has not confirmed nor denied the legitimacy of the data.

On Monday, the hacker known as Peace, who has previously sold dumps of Myspace and LinkedIn, listed supposed credentials of Yahoo users on The Real Deal marketplace. Peace told Motherboard that he has been trading the data privately for some time, but only now decided to sell it openly.

When a hacker advertises a huge horde of login details for sale there are often more questions than answers:

  • How many (if any) of the credentials are legitimate? There may be 200 million-or-so being sold, but that doesn’t mean you’ll be able to break into 200 million accounts.
  • What is the origin of the data? Has the data been collected through phishing attacks? Or Has the data been collated from the mega breach of another online service (like LinkedIn or MySpace), and just evidence that yet again folks have made the mistake of reusing passwords?
  • Are the credentials for current accounts or for old, stale accounts that may have been closed down or had their passwords changed long ago?
  • Is there any evidence of a security breach at Yahoo that could have resulted in login credentials spilling out? (This would be most worrying, but thankfully seems least likely)

Not all of these questions are necessarily easy to answer with absolute certainty.

But what is clear is that your Yahoo account will be a lot safer if you have enabled two-step verification and have learnt to never reuse passwords.

If you’re not being sensible about your online security, take appropriate steps now to harden your Yahoo account. Because even if this current scare ends up not impacting your account, there is always the danger that you could become a victim in the future.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

3 Replies to “200 million Yahoo passwords being sold on the dark web?”

  1. I wondered why they had been suggesting I change my password the last few days.

    Yahoo get brownie points for allowing 32 character passwords with special characters. I know this because I just checked and changed mine.

  2. Wife and I have both been told to change our Yahoo passwords last week! I use 2SV on my phone so quite relaxed. I've used Lastpass to generate a really long password. I have my email addresses monitored on pwnedlist and a year ago was told that a twenty year old (simple one word) password had been found on a list!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.