In 2013, more than one billion Yahoo accounts were breached, and personal information like phone numbers, passwords, security questions and backup email addresses was stolen.
All of that data is for sale on the dark web, according to cybersecurity firm InfoArmor, which discovered the compromised information in August. At the time, it was sold to three parties for $300,000 each. Data is still for sale, but now that the breach is public, the price is expected to drop. (The dark web is an encrypted network only accessible through software like the privacy program Tor.)
Yahoo told CNNMoney it doesn’t speculate on data that may or may not be for sale on the black market, but it is currently looking into the claims.
Andrew Komarov, chief intelligence officer at InfoArmor, said his firm told law enforcement agencies about the hack in recent months. It contained data from employees of agencies including the FBI, NSA, the White House and officials in the U.K.
The FBI said at a White House briefing on Thursday it is investigating the incident.
Yahoo, which learned about the August 2013 hack last month, said it was separate from the massive breach announced in September. Yahoo attributed that attack, which compromised 500 million accounts, to a “state-sponsored actor,” but it has yet to identify the party responsible for the breach announced this week.
However, Komarov’s firm has identified the hackers as Group E, cybercriminals based in Eastern Europe with a track record of hacking Dropbox, Tumblr and Russia-based social network VK.com.
InfoArmor, which has tracked Group E for three years, doesn’t believe that the group perpetrated the hack for a foreign government.
“[Group E] earns money on selling stolen data mainly to spammers,” Komarov said in an interview with CNNMoney.
“But in the case of Yahoo, we can prove that they sold two to spammers and one potentially to a state-sponsored party or foreign intelligence agency.”
That buyer asked specifically for information about executives from financial corporations and government workers.
Even if you have changed your password or security questions since 2013, that sensitive data could help attackers phish you or your contacts. Hackers could use stolen information and pose as a friend or business to get you to click on malicious links and share even more data.
The two major breaches could put Verizon’s Yahoo acquisition in jeopardy. Verizon has agreed to a $4.8 billion deal to acquire the company, but in a statement said it is “[reviewing] the impact of this new development before reaching any final conclusions.”
Yahoo users should change passwords and security questions as soon as possible and be aware of emails asking for personal information. You might be impacted by the Yahoo hack and not know it.
It’s also important to do a security check up on all devices.