On Monday, a hacker going by “peace_of_mind” or simply “Peace” advertised about 200 million Yahoo credentials on the Dark Web. The leak allegedly contains usernames, hashed (scrambled) passwords, birthdates and in some cases, backup email addresses. Peace is offering the entire database for 3 bitcoins, or about $1800. As of this writing, Yahoo has not confirmed or denied a breach, but is investigating.
The hacker has posted a sample of the database online, and the passwords are hashed with the Message Digest 5 (MD5) algorithm. A hashing algorithm is a series of complicated math steps which turns an input (the passwords) into another set of characters which are much less readable.
This will keep average people from reading your password, but depending on the algorithm used, your password is not much safer. MD5 has been broken for years. Rainbow tables holding long lists of passwords and their hashes are readily available online, and automated tools can reverse MD5 hashing instantly.
Peace has hinted that the data he is selling is likely from 2012, and that he has already sold copies of it. The MySpace and LinkedIn breaches a few months ago have also been attributed to Peace. MySpace had over 427 million credentials stolen and LinkedIn had 117 million logins stolen. Motherboard has reported many of the Yahoo credentials no longer work or are invalid.
“Yahoo has not issued a password reset.”
As of now, the source of the breach is unknown. Peace has claimed that this breach, along with ones for MySpace, LinkedIn and Tumblr, were the acts of a Russian group. Yahoo has not issued a password reset yet, which is often the first step after notifying users. But still, better to be safe than sorry. If you haven’t changed your Yahoo password in some time, or share that old password between accounts, now might be a good time.