Yahoo’s exfiltration of MD5 credentials

Since Yahoo’s announcement that it had approximately 500 million accounts stolen by what they believed to be state sponsored hackers, the company InfoArmor, which is based out of Arizona, claims that it has traced the Yahoo data theft to a hacker group called “Group E”.  “Group E” is believed to have attempted to sell  Yahoo credentials data 3 times since 2015.  The data is believed to have been stolen sometime prior to December 4, 2014.

InfoArmor claims to have been tracking “Group E” since 2013 after the hacker group allegedly stole 100M+ records from LinkedIn.

Further claims are that the data was exfiltrated in over 100 large portions by alphabetical order of user account names.  The Yahoo data is believed to have included (based on 8 out of 10 Yahoo IDs provided by The Wall Street Journal and successfully cracked in less than 48 hours by InfoArmor):

  1. Login ID
  2. Country Code
  3. Date of Birth
  4. Recovery email address & zipcode
  5. MD5 hash based password
  6. Mobile phone number

Yahoo initially investigated the possibility of the breach in July after discovering hackers Tessa88 and ‘Peace of Mind’ were trying to sell segments of legitimate mixed with bogus data dumps of Yahoo credentials.   At the same time period of the investigation Yahoo was selling its internet business and some real estate for $4.8B to Verizon Communications.  On September 9th in their securities filing, Yahoo claimed it was not aware of any loss, theft, unauthorized access, or security breach of user data.

example of Yahoo hash based credentials
example of Yahoo hash based credentials