Yahoo's Billion-User Database Reportedly Sold On the Dark Web for Just $300,000 - NYT

An anonymous reader writes: As if 2016 wasn't shitty enough for Yahoo -- which admitted to two separate breaches that saw 500 million users' and then 1 billion users' details stolen by hackers -- the New York Times reports that a billion-user database was sold on the Dark Web last August for $300,000. That's according to Andrew Komarov, chief intelligence office at security firm InfoArmor. He told NYT that three buyers, including two prominent spammers and another who might be involved in espionage tactics purchased the entire database at the aforementioned price from a hacker group believed to based in Eastern Europe. It's lovely to know that it only costs $300,000 to be able to threaten a billion people's online existence -- which means each account is only worth $0.0003 to hackers who can ruin your life online in a matter of minutes. Yahoo also doesn't yet know who made off with all the data from the attack in 2013, which is said to be the largest breach of any company ever.

Verizon?

[Anonymous Coward]

Now we know why Verizon wants to back out of buying Yahoo.

Re:

[Opportunist]

Why buy the cow when you already got the milk?

Hmm

[tsqr]

It's lovely to know that it only costs $300,000 to be able to threaten a billion people's online existence -- which means each account is only worth $0.0003 to hackers who can ruin your life online in a matter of minutes.

I love the smell of hyperbole in the morning.

Would the OP be happier if the database had commanded a much higher price?

Re:

[liquid_schwartz]

a higher price which would only incentivize hackers more in the future.

Whereas the hackers found dead in a pool of blood with obvious signs of torture would only disincentivize future hackers. I'm rooting for that option.

Re:Hmm

[gnick]

Even if I had a Yahoo account, I can't imaging using it for anything that would "ruin my life." It's Yahoo, not Ashley-Madison.

Re:

[houstonbofh]

Even if I had a Yahoo account, I can't imaging using it for anything that would "ruin my life." It's Yahoo, not Ashley-Madison.

I guess we now know that msmash reuses passwords across multiple platforms. :)

Re:

[Agripa]

Even if I had a Yahoo account, I can't imaging using it for anything that would "ruin my life." It's Yahoo, not Ashley-Madison.

Various ISPs like AT&T contract email and subscriber services out to Yahoo. So I would not assume that just because you do not have a Yahoo account that your data was not lost.

Ruin your life?

[Anonymous Coward]

I guess to millennials that think their online persona is their 'life'. An inconvenience sure, but saying it will ruin your life is incorrect.

Re:

[Anonymous Coward]

Are you kidding me? If someone knew I had a Yahoo account, I'd have to jump off a bridge from embarrassment.

Re:

[Anonymous Coward]

Are you kidding me? If someone knew I had a Yahoo account, I'd have to jump off a bridge from embarrassment.

Sent from my AOL account.

Re:

[houstonbofh]

I guess to millennials that think their online persona is their 'life'. An inconvenience sure, but saying it will ruin your life is incorrect.

An instagram account, sure... But Yahoo?

Good Job Yahoo

[bfpierce]

Might be the most profitable thing you've done in a decade or more!

Re:

[houstonbofh]

I was going to say, why didn't they realize that value themselves?

No kidding

[s.petry]

I know Yahoo for one thing. Throw away accounts for testing malware and spam sites. I know plenty of people who use them that way, and worked at places with burner phones to handle their great security of requiring a phone number to send/receive text to activate accounts.

Oh Noes! Hackers have burner phone numbers and disposable accounts, most likely housing messages with Malware inside. If the people who paid for these were from a different part of society I'd be concerned that they were ripped off.

Re:

[LordHighExecutioner]

It is worst: the addresses were stolen by hackers, and bought back by Yahoo, since they couldn't identify the compromised mailboxes.

Just received this from Yahoo! yesterday

[The-Ixian]

We are writing to inform you about a data security issue that may involve your Yahoo account information. We have taken steps to secure your account and are working closely with law enforcement.

What Happened?

Law enforcement provided Yahoo in November 2016 with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with a broader set of user accounts, including yours. We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.

What Information Was Involved?

The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. Not all of these data elements may have been present for your account. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system we believe was affected.

What We Are Doing

We are taking action to protect our users:

• We are requiring potentially affected users to change their passwords.
• We invalidated unencrypted security questions and answers so that they cannot be used to access an account.
• We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts.

What You Can Do

We encourage you to follow these security recommendations:

• Change your passwords and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.
• Review all of your accounts for suspicious activity.
• Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
• Avoid clicking on links or downloading attachments from suspicious emails.

Additionally, please consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.

For More Information

For more information about this issue and our security resources, please visit the Yahoo Security Issues FAQs page available at https://yahoo.com/security-upd... [yahoo.com].

  Protecting your information is important to us and we work continuously to strengthen our defenses.

  Sincerely,

  Bob Lord
  Chief Information Security Officer
  Yahoo

Re:

[Anonymous Coward]

Protecting your information is important to us and we work continuously to strengthen our defenses.

Not a very good track record: https://www.theguardian.com/wo... [theguardian.com]

Re:Just received this from Yahoo! yesterday

[rickyslashdot]

YAAAAHOOOOO ! Our sales reps and corporate execs just made their annual bonus by participating (willing or not) in delivering 1/10th of the world's population's data info to black / grey market re-sellers. What a wonderful system we live in where this can happen with no individuals anywhere in the corporate hierarchy being held criminally culpable - or even accountable - for this data theft that is only now __THREE_YEARS_AFTER_THE_FACT__ being released to the public.

MY OPINION - but this type of 'data breach' is becoming all too common, and will continue to happen while the 'protectors' of this data (the corporations, their management, and data-protection staff) are allowed to skate without any real penalties.

Hell, the recording industry has managed to 'criminalize', at the felony level, simple civil theft of data-transfer and is actually forcing the service providers and the government to be their policing agencies, but corporate data-loss / data-theft like this that can have real economic impact on millions of peoples lives is still dealt with under simple fines and penalties.

Oh, well, at least I don't have to worry, since I don't play the game with all the IM / FRIENDS / data-sharing programs running at the top of the centennial's 'have to have' internet connections.

Whoops

[alternative_right]

We have not been able to identify the intrusion associated with this theft.

So there's either a backdoor into the system that is still open, or this is an internal breach, like an employee stealing information to finance his ($300k) retirement?

Re:Just received this from Yahoo! yesterday

[fisted]

hashed passwords

Nice! I honestly was expecting plaintext passwords. But hashed! Companies are learning!

(using MD5)

Oh, wait.

the stolen information did not include passwords in clear text

ayy, until you google the hash.

Re:

[webmistressrachel]

Your search - 36a7d045d7b15123b79602889074cb16 - did not match any documents.

Suggestions:

Make sure that all words are spelled correctly.
Try different keywords.
Try more general keywords.

Nice try...

Re:

[fisted]

Your search - 36a7d045d7b15123b79602889074cb16 - did not match any documents.

Not anymore.

That said, my search - 2ab96390c7dbe3439de74d0c9b0b1767 - did match some pertinent documents.
And <wild guess>you might have accidentally digested a trailing newline from echo(1) along with your data.</wild guess>

That said, googling the hash is the lazy approach. If you're serious about it, download [pwcrack.com] a [pwcrack.com] rainbow [pwcrack.com] table [pwcrack.com]. Every 8-letter combination of printable ASCII chars in there, fits on a 2TB disk (stored as a plain key-value lookup table, that's 156878 TB worth of data).

I'd say Joe L

Too big to fail

[Wycliffe]

Maybe we should start thinking about ways to mitigate this kind of thing. If putting all your eggs in one basket and watching it isn't working
then maybe it's better to start thinking about ways to break it up. If instead of having companes like google, yahoo, and facebook with
billions of users, we had hundreds of companies each with a million users apiece then the profit potential is greatly reduced. It still takes
the same amount of work to hack into the system but if you only get 1M accounts then your profit is only $300 instead of $300,000.

Re:

[houstonbofh]

Maybe we should start thinking about ways to mitigate this kind of thing. If putting all your eggs in one basket and watching it isn't working then maybe it's better to start thinking about ways to break it up. If instead of having companes like google, yahoo, and facebook with billions of users, we had hundreds of companies each with a million users apiece then the profit potential is greatly reduced. It still takes the same amount of work to hack into the system but if you only get 1M accounts then your profit is only $300 instead of $300,000.

I would love to have federated social networking the way e-mail works now! Think of how much better the UI (Timeline, home page, whatever...) would be when moving did not mean losing your friends!

Re:

[omnichad]

I would love to have federated social networking the way e-mail works now! Think of how much better the UI (Timeline, home page, whatever...) would be when moving did not mean losing your friends!

This was sort of what Google Wave was supposed to be. The execution was so bad (so incredibly messy) that it will never be tried again.

Re:

[Wycliffe]

I would love to have federated social networking the way e-mail works now! Think of how much better the UI (Timeline, home page, whatever...) would be when moving did not mean losing your friends!

This was sort of what Google Wave was supposed to be. The execution was so bad (so incredibly messy) that it will never be tried again.

Google Wave was still owned/controlled by Google. What we need is an open standard like smtp or openid but for social networking.

Re:

[omnichad]

It actually was a federated system. You could build your own client or run your own server.

Re:

[Opportunist]

I have a few dozen. Lots of webpages learned about throwaway mail addresses and blocked them, but they all accept Yahoo.

Well, maybe "having" a few dozen is exaggerated. I used a few dozen once to get past a registration screen. And I doubt I am the only one who had that bright idea.

Re:

[houstonbofh]

I only used mine for Ashley Maddison, so no big loss. ;)

Re:It's not a billion people...

[omnichad]

who puts in accurate info for DoB anyway

Just about everyone who is over 18 and doesn't have a place to keep a copy of all the fake information for account recovery.

Re:

[omnichad]

Your balls have dropped

Happy new year!

they probably over paid

[anthony_greer]

How many of these were active users? how many were real names? back in the day, I had 2 or three spam accounts under names like James Bond or Homer Simpson...i know others did too. on top of that I dont know anyone still using yahoo actively...

Failing up

[Comboman]

"Failing Up" is a strategy that's not common to most CEOs, regardless of gender.

Re:So what about the blond CEO....

[omnichad]

She didn't get to where she is with sexual favors. She got there the same way men become CEO - she's an incompetent sociopath.

Welcome to collapse

[alternative_right]

She got there the same way men become CEO - she's an incompetent sociopath.

When the herd rules us, our leaders are always this bad. Thanks for the laugh however!

Ruin my life?

[OzPeter]

Do you mean that Yahoo account I started way back when with the fake personal details just so I could use Yahoo messenger? One one I never use for email? That one?

(Makes me wonder what happened to my ICQ account)

Re:

[Anonymous Coward]

You do not need any access to an account to send spam "from" it. Just telnet to port 25 of any mail server and pretend to be whoever you like.

These are just email records

[ugen]

Most of those "users" are just throwaway mailboxes. You could probably create a database of the same value by generating random usernames @yahoo.com

Clearly

[Patent Lover]

They overpaid.

300k for a billion addresses? Pah!

[Opportunist]

Just wait 'til they sell the trillion mail addresses at mailinator!

Re:

[Drethon]

Just wait 'til they sell the trillion mail addresses at mailinator!

My Yahoo mail might get one more spam e-mail a day that slips through the filters? I use Yahoo as my throwaway address for registrations of minimal value, I'm pretty sure every spam company in the world already has my yahoo address.

Overvaluing the mark

[Notabadguy]

Valued at $0.0003 per Yahoo user?

They're over-optimistic.

Re:

[David_Hart]

Valued at $0.0003 per Yahoo user?

They're over-optimistic.

There is probably more value in buying a delinquent credit sheet that has been through 3 other collection agencies....

Hm.

[Shoten]

This seems odd. For one thing, this is a set of creds from 2013; didn't Yahoo! force a password reset in 2014+, after the most recent (admitted) breach? I don't quite see what the value would be in that case, though there might be some password reuse value. For another, that seems like a pretty high price compared to other databases that have been on the market, when valuation is done on a per-account basis...and the other databases are from more recent breaches as well.

Re:

[lhowaf]

Good point. I think the password is probably the least valuable piece of information in the db - except for the value in generating another '100 worst passwords' list..

Does this include AT&T accounts?

[Anonymous Coward]

AT&T uses Yahoo for email accounts, you could login at either site with the same user/password.

User accounts are cheap because they are low value

[alternative_right]

The internet is the new daytime television. The people who were hanging around on it in the 90s are long gone. Now it's people who earn under $40,000 per year and have no ideas, are often on government disability aid for mental health, retired and lonely, drunk basement NEETbeards, etc. They are not worth exploiting because they have no money. Not to mention that especially on Yahoo, most of the data will be fake.

Does this show what a billion accounts is worth?

[shoor]

A billion accounts, how many are really valid? How much sifting does somebody have to do? And, when they get something, what can they do with it?
OK, you hack somebody's account, get answers to questions like date of birth, (Mother's maiden name?), so then you 'steal their identity' and do what? I know there are times when it can be a nightmare for somebody, but the real horror stories seem to be when somebody was specifically targeted, like for revenge. Are all those zombie bots out there compromised fr

State Sponsored

[speedplane]

Yahoo has been saying from the beginning that these attacks were "state sponsored". But why would a State try to sell the database on the dark web?