Yahoo is investigating a potential data breach after a hacker claimed to have uploaded the details of 200 million accounts to underground marketplace 'The Real Deal.'
The hacker - who goes by the name 'Peace' - was also behind the recent LinkedIn and MySpace breaches that compromised millions of users. He now appears to have uploaded usernames, dates of births and hashed passwords from Yahoo accounts.
Speaking to IBTimes UK, a Yahoo spokesperson tsaid: "We are aware of a claim. We are committed to protecting the security of our users' information and we take any such claim very seriously. Our security team is working to determine the facts.
"Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms."
It's still not clear how Peace obtained the details - whether through hacking Yahoo itself or by obtaining them through a third party - or even if the credentials are legitimate.
It is, however, likely that the data is a few years old, as with the LinkedIn and MySpace hacks. The LinkedIn data, for example, was from a breach that occurred in 2012, with over 100 million users included in the data set.
Peace has allegedly listed the credentials at a price of three bitcoins (equivalent to around $1,838), slightly less than the LinkedIn and MySpace data dumps which were listed at $2,200 and $2,538 respectively.
Kevin Cunningham, president and founder of SailPoint:
"Password management is still very much a critical element to an organisations security and risk management programs and one that many organisations are still struggling to get right. The most obvious and simple measures are still being overlooked, or often, business users are simply unaware of the potential dangers.
"These will only get worse as we continue to adopt applications – both cloud and web applications – across the organisation at the rate we have been over the last couple of years, especially without any control or oversight from IT."
James Romer, Chief Security Architect Europe, SecureAuth:
“This year has seen a huge number of compromised user credential breaches from big companies. Last week it was O2, this week the alleged credentials belong to customers of Yahoo. But LinkendIn, Twitter and the National Childbirth Trust have all apeared on the 2016 hit list. It’s estimated that around 60 per cent of fraudulent cybercrimes are committed using stolen credentials, and we say time and again, having a simple password and username login process is just not enough with the advances in cybercrime and the increasing value of personal data.
“What will it take for businesses to stop this reliance on simple username and password credentials for authentication? We already seeing banks making a move to voice authentication as a way of eradicating the need for security questions and passwords and it is imperative that more organisations take this lead and look to employ unique identifiers based on users behaviours which cannot be replicated rather than passwords which we know are so open to fraud.
"Not only does this render stolen credentials completely worthless across the breached site, it also means they cannot be used to compromise users more broadly."
Image Credit: Ken Wolter / Shutterstock