Cyber Incident Victim: Yahoo Malaysia
Date:
Jan 2012
Location:
United States of America
Summary
A cybercriminal known as Peace advertised approximately 200 million user credentials purportedly belonging to Yahoo on a dark web marketplace. The dataset included usernames, MD5-hashed passwords, dates of birth, and backup email addresses, sold for around $1,860 in bitcoin. The company acknowledged awareness of the claim and initiated an investigation but did not confirm the breach's legitimacy. Independent verification of a small data sample indicated some valid accounts, though many associated email addresses were inactive or invalid. The hacker suggested the data originated from an older incident and criticized the company for not resetting passwords.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In August 2016, a hacker known as Peace advertised the sale of approximately 200 million alleged Yahoo user credentials on The Real Deal dark web marketplace. The dataset, priced at 3 bitcoins (approximately $1,860 at the time), purportedly contained records from 2012 and included usernames, MD5-hashed passwords, dates of birth, and backup email addresses. Peace claimed to have privately traded the data before deciding to sell it publicly, stating his motivation stemmed from Yahoo's lack of confirmation about the breach. Yahoo acknowledged awareness of the claims through a spokesperson but neither confirmed nor denied the legitimacy of the data when directly questioned. The company emphasized its commitment to user security and stated its security team was investigating the claims while encouraging users to adopt strong passwords or utilize Yahoo Account Key for password-free login.
Motherboard obtained a 5,000-record sample prior to public listing and verified that a portion of tested usernames corresponded to active Yahoo accounts. However, email delivery attempts to over 100 addresses in the sample revealed many accounts as disabled or non-existent, evidenced by bounce-back messages stating "This account has been disabled or discontinued" or "This user doesn’t have a yahoo.com account." Peace criticized Yahoo for not initiating password resets, which could have mitigated unauthorized account access. The article noted uncertainty regarding the data's origin, suggesting it might represent repackaged information from prior breaches rather than a new compromise. Yahoo's public response remained limited to initial statements, with no subsequent confirmation of breach validity or disclosure of investigative findings at the time of reporting.