500 million records. That is 300 million more records than experts originally believed but Yahoo is reporting today that 500 million records were breached 2 years ago in what they believe was a state sponsored hack.
A Russian hacker named ‘Peace” who was originally tied to the massive Linkedin Data Breach of 117 million records is believed to be responsible. The hacker is famous and operates the most successful store on the Dark Web.
With the Yahoo theft, his store now carries 1.2 billion hacked records. Your data is probably for sale there.
Buyers routinely pay about $100 for data from 100,000 accounts and hope to use that data to spam the hell out of the emails, or use the credentials to login to your other accounts. About 50% of consumers use the same email and password combinations on all their internet accounts.
Worse yet, based on information from Peace there are probably another 500 million records that are unaccounted for. This means that either Yahoo is under-reporting their breached numbers or more likely that there is another 500 million record breach that has yet to be disclosed.
What company is next? If Peace’s numbers are to be believed than there must be another very large company that will announce a record-breaking breach soon.
You can read an interview with Peace here – Wired Magazine Interview.
“Peace_of_mind,” or “Peace,” sells data on the dark web black market TheRealDeal. His or her “store” page has a 100-percent satisfaction rating and feedback like “A+++,” and “follows up with your questions and delivers promptly.” And Peace’s growing selection of merchandise includes 167 million user accounts from LinkedIn, 360 million from MySpace, 68 million from Tumblr, 100 million from the Russian social media site VK.com, and most recently another71 million from Twitter, adding up to more than 800 million accounts and growing. (from Wired Magazine)
The Breach Was Never Reported to Verizon
Interestingly, this breach has far ranging implications on the pending Yahoo acquisition by Verizon.
Verizon is currently offering to buy Yahoo for $4.8 Billion but only learned of the data breach days ago when they were notified by Yahoo security.
Since this breach dwarfs any other breach in history there could be some negative impact to the acquisition. Investors could potentially lose hundreds of millions of dollars due to the breach
Bad News for Consumers
Consumers are the real losers here. Most would question why their yahoo credentials would be of any use to a fraudster.
The answer is simple. There are two ways that this will impact consumers. #1 These emails will be used to launch phishing and spam attacks against consumers and #2 The email and password combinations will be used for credential stuffing where the fraudster attempt to takeover consumers internet accounts and their online banking accounts.
Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.
You can get the definitive guide on Credential Stuffing and how it impacts you here – Credential Stuffing.
So What Can You Do To Protect Yourself
Consumers can do a few things to avoid becoming victims of fraud.
- Cancel your Yahoo Account – Why do you even need it?
- Update your Banking Password – Never use a same password for your bank account as you do for any other service. Also, if you can use a unique user name and not your email address.
- Update your Ebay, Amazon and PayPal passwords – these are high risk of getting attacked for fraud.
- Be extra wary of suspicious emails – Fraudsters are using those credentials for phishing attempts and for spam. Be careful.
Any questions? Contact [email protected]