A hacker has claimed to have stolen 200 million user account details from Yahoo.
Yahoo is believed to be investigating reports that a hacker has stolen 200 million of its user account details and is selling them on the dark web.
According to the BBC, Yahoo is investigating the breach.
Reports on the web suggest that a hacker called Peace, believed to have previously been part of a Russian hacking syndicate, is selling Yahoo user account details for £1,380, using bitcoin.
While some observers have said the stolen login details are relatively old, dating back to 2012, many users do not change their password and login details and often use the same login across multiple web and social media sites.
Simon Crosby, CTO and co-founder of Bromium, said: “Users need to be vigilant. If you use any services whose data, if stolen and made public, could be used against you, then edit your profile now to include false information and a fake email address, or an alternative, randomised, non work email address from an online provider.
“Users should also be on the lookout for strange-looking emails from friends who they would normally trust – their account might have been compromised. Finally, reset your online service passwords such as your bank, if you think your email may have been compromised, since many SaaS apps use email to confirm password changes.”
According to some experts, the hacker may have tried to extort money from Verizon, which last month acquired Yahoo for $4.8bn.
Lisa Baergen, director at NuData Security, said: “All indications are that this is an old breach (2012) prior to Yahoo changing the method in which it stores and protect passwords. This dark web “sale” of old data appears to have been triggered by the sale of Yahoo to Verizon. The hacker sent his demand for extortion to the Verizon CISO, who appears to not have taken the bait… and now the data is for sale.”
Trent Telford, CEO at Covata, said the hacker claimed Yahoo’s encryption was weak.
“While it’s not completely clear what encryption Yahoo was using – the hacker did comment that the data was hashed with an MD5 algorithm, coding that can easily be bypassed – the access management element alone clearly wasn’t sufficient. Companies must understand that not all encryption was created equal. They must use technology that not only robustly encrypts data at source individually rather than in huge sets, but also enables them to rigorously control who is accessing it and where. This ensures information is only readable by those with the relevant security clearance in a secure environment. The data also becomes completely trackable, meaning access can be locked down should it somehow make its way onto the dark web.”