A hacker using the pseudonym "Peace" has uploaded what purports to be a data dump of 200 million Yahoo accounts to an underground marketplace called The Real Deal. The technology giant, which has not yet confirmed the authenticity of the data, admitted it was "aware" of the potential leak.
The suspected leak comes in the wake of other "mega breaches" at Myspace and LinkedIn that each compromised millions of customer records and were both uploaded by the same cybercriminal. Like prior hacks, usernames, hashed passwords and date of births appear to have been compromised.
Alongside the listing, which was uploaded with a sample of the data, Peace wrote the credentials were "most likely" from 2012 and that passwords in the data dump were hashed with an MD5 algorithm.
At the time of writing, the credentials are being sold for three bitcoins, a form of cryptocurrency that is equivalent to £1,395 ($1,838). Based on the sample, a number of the records correspond with real accounts, while others do not - to be expected for a dataset containing older information.
A Yahoo spokesperson told IBTimes UK via email: "We are aware of a claim. We are committed to protecting the security of our users' information and we take any such claim very seriously. Our security team is working to determine the facts.
"Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms."
As noted by Vice Motherboard, which first reported news of the potential breach, the firm did not confirm nor deny the data was legitimate. IBTimes UK contacted Peace for comment via The Real Deal however did not receive a response by the time of publication. It remains unclear if Peace hacked Yahoo to get access to the credentials, whether the data was obtained from a secondary source or even if it is simply made up from records taken from other major hacks.
Little is known about the individual – or group – behind the Peace persona. However, in one interview given to Wired, he or she claimed to once have been part of a Russian hacking group that targeted major technology firms.
Once the group reportedly split, data dumps from 2012/13 that were previously only shared with an "inner circle" started to appear online. These included 160 million accounts from LinkedIn, 100 million from Russian social media platform VK.com and 360 million from Myspace.