The ink is barely dry on Verizon’s $5bn (£3.8bn) acquisition of Yahoo but things are already looking messy following claims that up to 200 million Yahoo user accounts have been compromised.
The company is investigating claims a hacker linked to “mega-breaches” at MySpace and LinkedIn has posted details of the accounts to a marketplace on the dark web.
Yahoo said it was taking the claim “very seriously” and was “working to determine the facts”, with usernames, passwords and dates of birth being offered for sale for three bitcoins (£1,360).
“Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms,” it said in a statement.
Motherboard, which first reported the alleged breach, obtained a 5,000-strong sample of the records, and tested whether they corresponded to real accounts on the service. It found that most of the first two dozen Yahoo usernames tested did correspond to actual accounts.
However, attempts to contact more than 100 of the addresses in the sample saw many returned as undeliverable with auto-responses reading: “This account has been disabled or discontinued,” which might suggest that the data is old.
Brendan Rizzo, technical director at HPE Security, told the BBC: “Data has high value to attackers, and even though the information for sale on the black market could be several years old, it can still be used for social engineering attacks for spear phishing to attempt to gain access to deeper systems with even more lucrative data that can be monetised directly if stolen.”