Yahoo Suspects It Has Suffered A Huge Data Breach

Yahoo is investigating claims the hacker linked to "mega-breaches" at MySpace and LinkedIn has posted details of 200 million Yahoo accounts to a marketplace on the dark web.

Usernames, passwords and dates of birth are being offered for sale for three bitcoins (£1,360). Using the name Peace, the hacker said the data was "most likely" from 2012. Yahoo said it was taking the claim "very seriously" and was "working to determine the facts".

"Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms," it said in a statement.

Dictionary attack

The passwords appear to be hashed, which means they have been scrambled, but the hacker has also published details of the algorithm allegedly used for the hash.

"The algorithm MD5 is considered to be weak, and for the vast majority of passwords it is easy to reverse what it was using what we call a dictionary attack," said Prof Alan Woodward, a security expert from Surrey University. He added though that caution needed to be exercised about the alleged breach.

"We have seen claims about similar dumps in the past weeks which have proved to be fake or just old data," he said. "People are still trying to work out if it is real or not."

Motherboard, which first reported the alleged breach, obtained a small sample of the data - some 5,000 records, and tested whether they corresponded to real accounts on the service.

It found that most of the first two dozen Yahoo usernames tested did correspond to actual accounts.

However, attempts to contact more than 100 of the addresses in the sample saw many returned as undeliverable with auto-responses reading: "This account has been disabled or discontinued," which might suggest that the data is old.

Brendan Rizzo, technical director at HPE Security, said: "Data has high value to attackers, and even though the information for sale on the black market is several years old, it can still be used for social engineering attacks for spear phishing to attempt to gain access to deeper systems with even more lucrative data that can be monetised directly if stolen."

Earlier this month, Yahoo was sold to US telecoms giant Verizon for nearly $5bn (£3.8bn).

BBC

« IBM’s Watson Takes Aim At CyberSecurity
Does Russia Benefit When Assange Reveals Secrets? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Cyber Together

Cyber Together

Cyber Together is dedicated to advancing the cyber security industry by giving businesses access to Israel’s leaders, innovators and great minds in the field of cyber security.

Secudos

Secudos

SECUDOS is an innovative appliance technology and services provider focused on IT security and compliance.

Segusoft

Segusoft

With its encryption platform SEGULINK, Segusoft provides standard software for companies to securely transfer files and messages.

Cyber Security Austria (CSA)

Cyber Security Austria (CSA)

Cyber Security Austria (CSA) is an independent non-profit association with the aim to address security issues in the area of IT/cyber security of critical/strategic infrastructures in Austria.

Kapalya

Kapalya

Kapalya empowers businesses and their employees to securely store sensitive files at-rest and in-transit across multiple platforms through a user-friendly desktop and mobile application.

Cloud Managed Networks

Cloud Managed Networks

Cloud Managed Networks provides enterprise grade IT network solutions for cloud-based and on premise network security, Wi-Fi, data switching, collaboration, device management and more.

CONCORDIA

CONCORDIA

Concordia is a Cybersecurity Competence Network with leading research, technology, and competences to build the European Secure, Resilient and Trusted Ecosystem.

Com Laude

Com Laude

Com Laude is a domain name management company that provides strategic consulting to help companies strengthen digital brand, safeguard customers & protect brand IP.

Zercurity

Zercurity

Zercurity is on a mission to build the ultimate cybersecurity operations platform for businesses. To help protect against a growing number of internal and external threats.

Portshift

Portshift

Portshift leverages the power of Kubernetes and Service-Mesh to deliver a single source of truth for containers and cloud-native applications security.

Armenia Startup Academy

Armenia Startup Academy

Armenia Startup Academy is a pre-acceleration program for selected Armenian tech companies and startups in areas including cybersecurity.

Bloc Ventures

Bloc Ventures

Bloc Ventures is an investment company providing long-term, ‘patient’ equity capital to early stage unquoted deep technology companies.

Digital Pathways

Digital Pathways

Digital Pathways is an award-winning data security provider that helps businesses protect their digital assets.

SideChannel

SideChannel

At SideChannel, we match companies with an expert virtual CISO (vCISO), so your organization can assess cyber risk and ensure cybersecurity compliance.

VulnCheck

VulnCheck

VulnCheck helps organizations outpace adversaries with vulnerability intelligence that predicts avenues of attack with speed and accuracy.

Pango

Pango

Pango is a leading provider of digital consumer security solutions.