The current data up for sale is priced at 3 Bitcoin (approximately $1,860), and includes usernames, MD5-hashed passwords, and dates of birth. Some of the records also reportedly include backup email addresses, countries, and zip codes. The data is old, however, dating back to 2012.
While the passwords are encrypted, MD5 hashes are extremely easy to decrypt now, and can be done almost instantly.
“We are aware of a claim,” Yahoo said in a statement to SoftPedia. “We are committed to protecting the security of our users’ information and we take any such claim very seriously. Our security team is working to determine the facts. Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms.”
Motherboard was sent a sample of 5,000 records by the hacker, and confirmed that two dozen of the usernames tested did correspond with actual accounts. When the reporter attempted to contact the breached accounts, however, many of the emails were returned as “undeliverable.”
It is likely that the company had issued password resets to accounts that were breached to preemptively secure even abandoned accounts, though Yahoo has not yet verified what steps they have taken.