Log-in credentials for over one million Gmail and Yahoo accounts are being sold on a dark web marketplace.
According to reports, a seller by the name SunTzu583 is offering the accounts for sale. Among the compromised accounts being offered are 100,000 Yahoo accounts allegedly harvested from the 2012 hack of Last.fm, according to HackRead. The information includes usernames, email addresses and plain text passwords.
A further 145,000 Yahoo accounts are also on sale, apparently taken from the October 2013 Adobe breach and the MySpace hack, which happened in 2008 but not made public until 2016. These details include usernames, email addresses and decrypted passwords.
The number of Yahoo accounts on offer is dwarfed by the number of Gmail accounts said to be up for sale.
First up is 500,000 Gmail accounts, including usernames, email addresses and plain text passwords. According to HackRead, these came from 2014’s breach of the Bitcoin Security Forum, the Tumblr breach of 2013 and the same MySpace hack that yielded the Yahoo credentials.
It’s not clear if the Bitcoin Security Forum itself was breached in 2014, or if these Gmail accounts are from the same dump of five million accounts in September of that year.
A further 450,000 Gmail accounts are being offered by the same seller, said to be from a variety of breaches including Last.fm, Adobe, Dropbox, Tumblr and more.
All the accounts, totalling just under 1.2 million, are on sale in exchange for Bitcoin.
Infosecurity Magazine has reached out to Google and Yahoo for comment but has yet to receive a reply.
It has been a bad few months for Yahoo in terms of data breaches. The company has admitted to a number of incidents over the last few years that exposed customer details from over one billion accounts.
Users worried about the security of their Gmail or Yahoo account, particularly if their accounts were compromised in any of the data breaches mentioned here, should change their password immediately.
Users should also enable two-factor authentication where it is offered, as it adds another layer of security to online services by sending a unique, one-time code to a mobile device, which has to be entered alongside the password.