More than 1 million usernames, emails and decrypted passwords of Gmail and Yahoo accounts have been found on sale in a dark web marketplace.
According to reports, a dark web seller who goes by the name of SunTzu583 is offering to sell 100,000 Yahoo accounts from the 2012 Last.fm data breach, 145,000 Yahoo accounts from the 2013 Adobe breach, and accounts from the 2008 MySpace hack. The accounts are being individually offered for sale at between 0.0079 bitcoin ($9.33) and 0.0102 bitcoin ($12.04) each.
In addition, the same seller is offering 500,000 Gmail accounts from the 2008 MySpace hack, the 2013 Tumblr hack and a 2014 bitcoin security forum breach, along with an additional 450,000 Gmail accounts obtained from data breaches between 2010 and 2016. The data has been confirmed through websites such as HaveIBeenPwned as well as by attempting to enter the information into login pages.
Hacking news site Hack Read contacted a number of users who have their login credentials mentioned in the sample data and with their permission, the site attempted logging into different platforms including MySpace, Dropbox and Tumblr. In many cases, it was unable to access the accounts mentioned, but only due to the users having changed their passwords or the accounts being suspended because the users failed to change passwords after the breaches occurred.
“Although the data is old … it poses a massive security threat for victims since it is in clear text format and available altogether at one place,” the publication noted.
Users who are concerned about the security of their Gmail or Yahoo accounts are being advised again to change their passwords immediately. They also should also consider enabling two-factor authentication where it is offered to add an additional layer of security to online services. In that case, an attempted login from an unknown or unverified device or machine requires a unique, onetime code sent to a mobile device to be entered with the password for that device or machine to gain access to the account.