Hackers Sold Yahoo’s 1 Billion User Database for Just $300,000 on Dark Web


Yahoo admitted to two separate breaches this year that affected 500 million and then 1 billion users. Now, the reports from security firms suggest this billion-user database was sold on the dark web for $300,000 late August.

Yahoo database for sale on the dark net

In August 2013, hackers penetrated the email system of Yahoo and gained access to the details of over 1 billion users. Names, email addresses, birth dates, phone numbers, and passwords were all stolen in this mega online theft. Security questions and backup email addresses used to reset lost passwords were also stolen.

Yahoo had absolutely no clue about this hack until a third-party notified the company this year. The company had reported another breach in September this year that affected 500 million users' data. While Yahoo has no idea who was the perpetrator, in its announcement, the company said the 2013 breach seemed to be linked to the 2014 hack by "state-sponsored" hackers.

Attackers also gained access to personal data of millions of military and civilian government employees from a number of countries - an absolute goldmine for a criminal hacker. What then happened to this treasure trove in the last 4 years? Yahoo has no clue. But, private security companies have said the data was sold on the dark net for $300,000.

Speaking to the NYT, Andrew Komarov, chief intelligence officer at InfoArmor said that "three buyers - two known spammers and an entity that appeared more interested in espionage - paid about $300,000 each for a complete copy of the database" from a hacking group believed to be based in Eastern Europe.

Komarov said his company obtained a copy of the database and "alerted military and law enforcement authorities in the United States, Australia, Canada, Britain and the European Union about the breach," who verified the authenticity of the stolen records. Some of them also contacted Yahoo with their concerns. However, he didn't approach the company directly because "he did not trust Yahoo to thoroughly investigate the breach since it could threaten the sale to Verizon."

Recommended: Security experts warn not to trust anymore; here's how to delete your account

The information, if true, shows the true worth of a user's security. It only costs $300,000 to have access to data of over a billion people, including business, military and government officials. This means each account is worth just $0.0003 to hackers. The database of 1 billion Yahoo accounts is currently receiving bids as low as $20,000 since the data is much less valuable now as Yahoo has forced a password reset.

While many users shrug off these concerns, saying they stopped using Yahoo a long time ago, it poses a legitimate threat, especially in targeted attacks. Many also use the same credentials for multiple accounts, not to mention the spear-phishing and identity theft issues that would have resulted from this data mine.

Yahoo still doesn't know who attacked it in 2013, or how they got in. The breach is the largest attack of any company ever. The FBI said that it's investigating the breach, however, Yahoo said it hasn't been able to verify Komarov’s claims yet.

The company's deal with Verizon is also in limbo. Verizon had asked for a billion dollar discount on the $4.8 billion deal after the September announcement of the breach that affected 500m users. Following Wednesday's news, the company is weighing its options and might just walk away.