Yahoo breach: your account is selling for pennies on the dark web

So, how much is your Yahoo login selling for on the dark web?

Because yes, of course it’s for sale. If yours was one of the 1bn – yes, that’s a billion – accounts that Yahoo last week disclosed had been carved out of it three years ago, it’s been on sale since at least August.

That, at least, was when InfoArmor spotted the massive database with a price sticker on its hide. The firm’s chief intelligence officer, Andrew Komarov, told the New York Times that a geographically dispersed hacking group based in eastern Europe managed to sell a copy of the database to three buyers for $300,000 each.

Yahoo said that it didn’t know who broke into its systems in 2013, how they did it or what they did with the data.

InfoArmor thinks it knows a bit of the “who” part of the equation: it believes that two of the purchasers were known spammers, and one appeared to be more interested in espionage.

The firm identified the hackers selling the database as Group E: a financially motivated group with a history of hacking Dropbox, Tumblr and Russia-based social network

Komarov told CNNMoney:

[Group E] earns money on selling stolen data mainly to spammers.

But in the case of Yahoo, we can prove that they sold two to spammers and one potentially to a state-sponsored party or foreign intelligence agency.

According to InfoArmor, the buyer that might have been interested in espionage specifically asked for proof that the Yahoo database held valid data pertaining to corporate execs and government workers.

Bloomberg gave specifics about the government part of that: the Yahoo database includes details about more than 150,000 US government and military employees.

That means names, passwords, telephone numbers, encrypted passwords and unencrypted security questions, birth dates, and backup e-mail addresses are now in the hands of cybercrooks.

Government workers may also have given their official government email accounts to Yahoo as backup email accounts, so in theory their names and official email accounts could be used by foreign intelligence services in spearphishing attacks.

In fact, it was a phishing attack that led to the hacking of the email account of Democratic National Committee campaign chairman John Podesta.

This is the type of government targets included in the Yahoo database, according to Bloomberg:

The government accounts belong to current and former White House staff, US congressmen and their aides, FBI agents, officials at the National Security Agency, the Central Intelligence Agency, the Office of the Director of National Intelligence, and each branch of the U.S. military.

The list includes an FBI division chief and multiple special agents working around the US; current and former diplomats in Pakistan, Syria and South Africa; a network administrator at NSA’s Fort Meade headquarters; the chief of an Air Force intelligence group; and a human resources manager for the CIA.

So let’s rephrase that initial question: how much is the Yahoo account of the CIA HR manager selling for on the dark web? (And yes, that data is still up for sale, according to InfoArmor.)

In the past, we’ve seen stolen accounts selling for as little as pennies.

When account monitoring company LogDog recently took a look (PDF) at this thriving part of the underground economy, it reported that Yahoo accounts were selling for between 70 cents and $1.20.

Fast forward to now, with Yahoo’s multiple mammoth breaches going very public indeed, and you’ll find that the price for those already dirt-cheap accounts is expected to drop, CNNMoney reports.

What costs less than 70 cents in the US? Gumballs.

Oren Falkowitz, a former analyst at the National Security Agency who now runs Area 1, a Silicon Valley security start-up, told the NYT that it’s not access to Yahoo users’ email accounts that makes the breach so dangerous.

Rather, it’s that the information gleaned from Yahoo, including that of government or corporate workers, can be a springboard into other breaches and the theft of other, more lucrative information about targets:

This wasn’t an attack against Yahoo, but rather reconnaissance to launch other campaigns.