RECODE reports that Yahoo is about to confirm a massive data breach of its main service, described as “widespread and serious”, just as America’s largest wireless communications service provider, Verizon, prepares to take over Yahoo’s core assets.
Citing sources close to the matter, Recode said on Thursday that government investigations and legal action has been linked to the breach. A source was quoted saying that this current breach is “worse” than Yahoo’s trouble in August, where 200 million users had their information sold on the dark web, reportedly by the same hacker responsible for the LinkedIn leak.
However, Bloomberg suggests that what Yahoo is about to confirm is that very same breach, which was discovered in August. At the time, the multinational tech company said it was aware of the stolen data and was investigating the claim.
According to Motherboard, the hacker responsible was identified as ‘Peace’. ‘Peace’ listed the allegedly stolen credentials on a site called The Real Deal marketplace, and told Motherboard he had been privately selling the data “for some time”, but decided to go public with it. He was reportedly selling the data for just over US$1,800.
Yahoo came under fire for not issuing a password reset after news of the massive breach emerged. Companies often issue such resets to the owners of affected accounts, either after the fact or as a precautionary measure while they verify the breach.
A listing has been identified on the Real Deal dark web marketplace for what was purported to be 200 million Yahoo! user accounts. The listing was added by Peace (AKA Peace of Mind). The description for this listing claimed that the data dated back to 2012 and priced the data at three Bitcoin (approximately $1860 USD).
Rick Holland, vice president of Strategy at Digital Shadows, said: “Due to the age of the dataset it was assessed as highly likely that this information has already been used for malicious purposes. The posting of the data for sale was likely to result in it being available to a greater number of threat actors, indicating that it will highly likely be more widely used in the immediate future.
“As the passwords in the dataset were found to be unsalted MD5 hashes, the data could likely be used to facilitate password re-use attacks against users who have used the same password for multiple accounts.”
The confirmation announcement is expected this week. New owners Verizon are expected to be in for a difficult time as it will have to steer the already-flailing ship that is Yahoo away from trouble.