More than one million Yahoo and Gmail accounts – including usernames, email addresses and plain text passwords – are reportedly for sale on the dark web.
According to the dark web vendor SunTzu583, who posted the sale offer, he has 100,000 Yahoo accounts from the 2012 Last.fm data breach and 145,000 Yahoo accounts from the 2013 Adobe breach and 2008 MySpace hack. The accounts are on sale for between 0.0079 bitcoins and 0.0102 bitcoins each.
SunTzu583 also claims to have 500,000 Gmail accounts that came from the 2008 MySpace hack, the 2013 Tumblr breach and the 2014 Bitcoin Security Forum breach – for a price of 0.0219 bitcoins per account, more than twice the going rate for a Yahoo account. Another 450,000 Gmail accounts were also listed on sale for 0.0199 bitcoins from other data breaches that took place from 2010 to 2016.
The data on sale by SunTzu583 is thought to be genuine, having reportedly been checked by matching it to data on data breach notification platforms, including HaveIBeenPwned.
Martin Sweeney, CEO of Ravelin, told SC Media UK, “The dark web is now the source of the most frequent crime in the UK – payment fraud. Every day we see new tranches of details going on sale. These details then fuel the account takeovers and identify thefts that are costing UK business billions of pounds every year.
“Businesses are starting to fight back. Using smarter techniques like machine learning and two factor authentication, the security holes are being plugged. But without significant consumer education and a greater ability for the police to prosecute, there is still huge opportunity for the amateur fraudster to make a killing using stolen details bought cheaply on the dark web.”