Billion stolen Yahoo accounts sold on the dark web
Hackers are selling the personal details from a billion accounts stolen from Yahoo in 2013, security researchers claim. Data being sold could include names, dates of birth, phone numbers, passwords, security questions and email addresses, but not bank details, which Yahoo says weren’t stolen.
The hack, which Yahoo admitted in December, is believed to be the biggest ever security breach. On Yahoo’s website ( www.snipca.com/ 22916) Bob Lord, the company’s chief information security officer, wrote: “Based on further analysis of this data by forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts”.
Arizona-based security company Infoarmor said that in August 2016 a hacking collective based in eastern Europe offered the data on the dark net for $300,000 (around £242,000).
It claims that three groups – two spammers and one involved in “espionage” – have bought the data. Infoarmor’s chief intelligence officer Andrew Komarov said that since obtaining the database his company had alerted military and law-enforcement authorities in the US, Australia, Canada and the UK.
Komarov added that he didn’t approach Yahoo directly because he was concerned that the company’s planned £4.8bn purchase by Verizon would discourage it from investigating the theft thoroughly.
Bob Lord added that the latest attack is unrelated to the hack Yahoo admitted in September last year, in which the details of 500,000 accounts were stolen in 2014.
However, he did reveal that the hackers behind the 2014 attack had learnt how to forge the cookies that Yahoo use to recognise you when you log in, meaning a hacker wouldn’t need the correct password to access a Yahoo account, and could be logged in indefinitely.