Computer security experts are poring over a small sample of data to determine if technology company Yahoo’s user database has been hacked.
An advert for the email addresses and passwords of 200 million Yahoo accounts has popped up on the dark web, offering the data for sale for about $2,000.
They are being sold by a notorious internet criminal, known as peace_of_mind, who has been behind the recent sale of stolen data belonging to LinkedIn and MySpace.
Peace_of_mind has described themselves as a “shady dark web data dealer”.
And their preferred way of doing business has been selling the user databases of some of the world’s largest technology companies.
Troy Hunt, one of the world’s foremost experts on data breaches, said the claim was that Yahoo had been hacked at some point in the past few years.
Mr Hunt runs the website ‘Have I been owned?’ which allows someone to see if and how their email address has been stolen.
I guess what has us a little concerned is that this particular seller has shown that he is able to sell legitimate products,” he said.
“That’s what they are represented to be and on that basis alone, it sort of makes us look at Yahoo claims and say well there’s a high probability it’s going to be true.”
Successful seller history makes claim more believable
The number of total individual accounts sold by peace_of_mind was likely more than 1 billion.
He or she has previously sold 167 million LinkedIn accounts, more than 300 million accounts from MySpace and nearly 70 million from Tumblr, and a similar amount from Twitter.
Mr Hunt said the sale of the Yahoo information was similar to the others.
“The seller of this sort of data wants to provide samples to encourage people to buy it, and I guess it’s like any other product, you just give them a taste and then they’re going to want to buy into it,” he said.
“So he’s provided enough information, such as the data doesn’t appear to be fake, but not quite enough to be confident that it’s actually legitimate.”
The ABC has seen about 500 records, which the seller posted on the dark web market place as evidence to show the data was genuine.
However many of the email addresses do not appear to be working — they could be old, or may have been simply made up.
Mr Hunt said he had not been able to fully confirm the information, but the fact that it came from a seller with a long successful selling history made the claim more believable.
Peace_of_mind’s account on the dark web has 75 positive reviews and a 100 per cent successful feedback score, so buyers were clearly happy.
“One of the things about these dealers as well, and these dark markets in general, is that reputation is really important, they trade on reputation,” he said.
“And this particular sellers reputation is very positive, you can literally go onto the dark market site and just like an eBay seller, you see the reputation and its all positive feedback from every trade that this individual has made.
“And that’s what sort of gets me going I can’t find the email addresses in my system, however so far this guy has sold exactly what he has represented he’s sold.”
Buyers will go on to commit crimes
Mr Hunt said it would be the buyers who were after a return on their investment, who would go on to use the data to commit crimes.
“So for example, they may then go through those accounts and see which one of them will unlock gmail accounts, now they’ve got access to gmail,” he said.
“Social media accounts, have they been used on any banking accounts, would this now be a way we could do identity theft?”
The ABC asked Yahoo whether the data was genuine, and the company responded with a statement saying that they were “aware of a claim”.
“We are committed to protecting the security of our users’ information and we take any such claim very seriously,” they said.
“Our security team is working to determine the facts. Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords or give up passwords altogether by using Yahoo Account Key and use different passwords for different platforms.”