Yahoo is investigating the possibility that it has fallen victim to the hacker who caused ‘mega-breaches’ at LinkedIn and MySpace.
Almost 200 million usernames, passwords and dates of birth from the site have appeared for sale on the dark web for a price of three bitcoins (£1,360). It is unclear whether this is genuine, fake or old data.
In a statement, Yahoo said: “We are aware of a claim. We are committed to protecting the security of our users’ information and we take any such claim very seriously. Our security team is working to determine the facts.”
The hacker is operating under the name “Peace” and has claimed that the data is “most likely” from 2012. The passwords for sale have been scrambled or “hashed”, using the algorithm MD5. However, this algorithm is notoriously weak and it is relatively simple to unscramble the information.
The publication Motherboard, which first reported the breach, claimed that most of the first two dozen accounts it tested were genuine. However, when it ran further tests it found that many of the details were old or invalid.
Yahoo added: "Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms."