Rick Holland, vice president of Strategy at Digital Shadows
A listing has been identified on the Real Deal dark web marketplace for what was purported to be 200 million Yahoo! user accounts. The listing was added by Peace (AKA Peace of Mind). The description for this listing claimed that the data dated back to 2012 and priced the data at three Bitcoin (approximately $1860 USD).
The listing description contained 586 rows of data provided as a sample, each of which contained a user name, date of birth and unsalted MD5 password hash. Some but not all of the rows also included email addresses. Motherboard Vice has partially verified a sample of the dataset, but at the time of writing it was unknown whether this data was genuine.
However, as Peace has previously been found to have posted genuine breach data, it was assessed as a realistic possibility that this dataset was genuine. Due to the age of the dataset it was assessed as highly likely that this information has already been used for malicious purposes. The posting of the data for sale was likely to result in it being available to a greater number of threat actors, indicating that it will highly likely be more widely used in the immediate future. As the passwords in the dataset were found to be unsalted MD5 hashes, the data could likely be used to facilitate password re-use attacks against users who have used the same password for multiple accounts.