Cyber-security firm InfoArmor claims that the data from Yahoo’s one billion user account hack was sold a number of times last August for $300,000 on the “dark web,” and that it is still offered for sale.
As Breitbart noted, the data from the hack in 2014, along with a 500,000-user hack in 2013, “were so extensive that they included users’ names, email addresses, phone numbers, dates of birth, scrambled passwords and security questions and answers.”
Although Yahoo responded that “Payment card data and bank account information are not stored in the system the company believes was affected,” Breitbart warned that “there have been reports that financial data details were also exploited by criminal intruders.”
The hack impacts many more users than just those with a “yahoo.com” account. British Telecom (BT), SBC Global, AT&T, BellSouth and Canada’s Rodgers Telecom did or still do use Yahoo for their customer email. Verizon.net email addresses were serviced by Yahoo until the company acquired AOL in late 2015.
When criminals have access to a Yahoo user’s inbox, they can request a password reset link be sent to a user’s inbox from any Web site. The only good news is that Yahoo has a policy of deactivating or deleting inactive accounts that remain dormant after one year.
InfoArmor’s chief intelligence officer Andrew Komarov told the New York Times that two prominent spammers and another party who might be involved in “espionage tactics” had each purchased the entire database on the “dark web” from an Eastern European-based hacker group at the rate of $0.0003 per user, or about $300,000.
Transactions took place on the “dark web,” because it allows criminals and others to engage in illicit activity anonymously to transmit encrypted Internet traffic between Tor project servers that remain hidden and inaccessible through standard web browsers.
Komarov told Bloomberg that it is believed that there were 150,000 US government and military employees’ details that were in the marketed database, which could give the hackers and their clients a pathway to target U.S. national security systems and users.
Given that public Internet users tend to have common passwords across many devices and applications, the Yahoo hack will make most of its users vulnerable to “phishing” attacks that can feature accurate personal information to coax users into handing over things like their bank account, credit card and social security numbers.
Yahoo responded to media inquiries that it hasn’t been able to verify any sale of its data. Komarov claims that the database is still offered for sale, but bids for the data trove plummeted to as low as $20,000 after Yahoo forced a password reset for affected users.
Another value of a hacked email account is that once a criminal is controlling the online address, they can usually reset the password of potentially dozens of associated services or accounts by just requesting a password reset be sent by email.
According to the “Krebs on Security” blog, the market price for stolen accounts is $8 for iTunes and FedEx; $6 for Continental.com and United.com; $5 for Att.com, Sprint.com, Verizonwireless.com, Tmobile.com and Groupon; and $2.50 for Facebook and Twitter. The offered rates for access to sites like dell.com, overstock.com, walmart.com, bestbuy.com and target.com is about $1 to $3.