Hacker ‘Peace’ offers 200 million Yahoo accounts

A hacker, calling himself ‘Peace’, offers 200 million user data from Yahoo accounts. How legit the claim is is hard to say. Previously, the same hacker offered dumps from LinkedIn and MySpace.

Yahoo said in a response to Motherboard that it is aware of the claim, but that it cannot confirm or disprove the authenticity or legitimacy of the data. It does say it takes the hacker’s claim ‘very seriously’.

The hacker told Motherboard that he had been selling the data under the spotlight for a while, but now decided to put it up for sale publicly. The list with, according to Peace, ‘presumably data from 2012’ is available for 3 bitcoins, about 1650 euros.

At this time, Yahoo has not yet confirmed a data breach from 2012 and before the data is released for verification, it is not known whether it is data that has been repackaged from other major data breaches. The data provided consists of usernames, md5 hashed passwords, dates of birth and in some cases backup email addresses.

Peace tells Motherboard that it would be “better for him if Yahoo doesn’t go for a password reset.” Motherboard obtained 5000 records before putting the data up for sale and determined that some of the usernames appear to correspond to existing accounts, even though it only tested “two dozen” names by simply typing the email addresses into Yahoo’s login field. and see if you could go to the next step. On the other hand, when Motherboard tried to contact 100 email addresses, it often returned that the email was undeliverable.

Update 7.40 am: It seems that Yahoo is now recommending users to set a new password. It is not clear whether this was instituted after a possible 2012 vulnerability became known or whether it is offered randomly.