Given everything that’s been happening with Yahoo in recent months, the Sunnyvale-based company would probably prefer to forget 2016 as soon as possible. On Thursday, Yahoo revealed that it suffered a massive security breach as malicious hackers stole approximately one billion user accounts in 2013. This incident marked Yahoo’s third privacy-related scandal in the span of just a few months, and by the looks of it, it’s the worst one so far. As it turns out, hackers stole not just email addresses and passwords, but also users’ names, birth dates, security questions, backup email addresses, and phone numbers, all of which were encrypted with an outdated MD5 message-digest algorithm. In other words, while none of the information stolen by attackers was stored in plaintext, it’s unlikely hackers had any issues with decrypting the unsalted MD5 hash.
The latest report from The New York Times confirms as much, as the said outlet is now claiming that an unencrypted version of this database was sold three times since August of this year. This report originates from Andrew Komarov, a Chief Intelligence Officer at the Scottsdale, Arizona-based cyber security agency InfoArmor. More specifically, Komarov claims the said database of stolen Yahoo accounts was sold to two notorious spammers and another party who was looking to use it for espionage purposes. All of the sales were allegedly concluded on the Dark Web, and each buyer paid about $300,000 for the entire database. Seeing how the 2013 breach of Yahoo’s email service was the largest known hacking attack in history, that figure certainly doesn’t seem too high. However, no one knows what happened to the stolen data between 2013 and this August when the hacked database became available for purchase on the Dark Web.
What’s even more worrying is that Yahoo allegedly wasn’t even aware of the breach until some US intelligence agencies notified it of the incident earlier this month, after obtaining evidence of the attack from an unknown source. This certainly doesn’t spell good news for the company’s efforts to sell its core business to Verizon. The largest wireless carrier in the country already put the said transaction on hold following Yahoo’s disclosure of another major security breach from 2014, and as things stand right now, it will be a while before this entire matter is put to bed.