Yahoo is investigating claims that credentials of 200 million users were stolen from its platform, after a hacker known as “Peace” made claims on Aug. 1 that credentials were now up for sale.
The initial disclosure was made by Motherboard, whom Peace contacted and allegedly shared some of the data with. It’s not entirely clear when or even if Yahoo itself was breached, and precisely how the data was obtained. What is known is that the hacker admits the data is from 2012 and is now being sold for 3 Bitcoins, which is worth approximately $1,900.
Yahoo has not yet publicly stated whether or not a breach has occurred and whether the data is real, but the company is taking the claim seriously and is investigating at its end.
“Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms,” Yahoo said in a statement.
Georgia Weidman, founder and CTO of Shevirah, is skeptical of the claims, until at least Yahoo confirms they are real. Weidman is a well-known mobile penetration tester and is at the Black Hat USA conference this week, where she is presenting her company’s tools in the Black Hat Arsenal .
“The Motherboard article mentions that they spot checked some accounts and they worked,” Weidman said. “There really isn’t any other way to tell [if the breach is valid] until Yahoo confirms.”
One of the surprising aspects of the alleged breach, aside from the large numbers of user credentials that might have been stolen, is that the data is from 2012. That might mean Yahoo was the victim of a data breach four year ago and didn’t realize it, or just didn’t know that data was exfiltrated.
“It is absolutely possible that the data was stolen and the breach never discovered,” Weidman said. “If it truly is from 2012, it would be very unlikely that Yahoo’s SOC [Security Operations Center] would have audit data from four years ago.”
Weidman added that the U.S. Department of Defense standard for audit log retention, for all but classified data, is one year and five years for Top Secret/Sensitive Compartmented Information (TS/SCI) audit data.
Even though the Yahoo data dump might comprise passwords that are 4 years old, there is still a real risk to users today. LinkedIn was breached in 2012, but in May of this year, the same hacker (Peace) who is selling the Yahoo passwords started to sell user information from LinkedIn. As it turns out, that data dump was real, and LinkedIn took additional security steps, including invalidating impacted user passwords.
“With people’s propensity to reuse user IDs and passwords and never change them, even 4-year-old data will be useful to hackers,” Weidman said. “I suspect Yahoo will confirm, ask users to change their passwords (which they won’t) and offer credit monitoring for a year.
“Effectively a collective shrug.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.