[Update: Yahoo has confirmed the breach, which affects 500 million users. Read our follow-up article.]
Following reports that Yahoo will confirm a data breach that affects hundreds of millions of accounts, some users reported Thursday on Twitter and elsewhere that they were prompted to change their email password when trying to log in.
Yahoo launched an investigation into a possible breach in early August after someone offered to sell a data dump of over 200 million Yahoo accounts on an underground market, including usernames, easy-to-crack password hashes, dates of birth and backup email addresses.
The company has since determined that the breach is real and that it's even worse than initially believed, news website Recode reported Thursday, citing unnamed sources familiar with the investigation.
While Yahoo has yet to make an announcement and did not immediately respond to a request for comment, the company has prompted some users to reset their passwords in the past 24 hours due to "suspicious activity" on their accounts.
The prompt to reset passwords may not be directly linked to the reported data breach. But a confirmation of the breach now, more than a month and a half after the data was put up for sale, will likely prompt questions as to why the company waited so long before forcing users to change their passwords.
"If it really was available then and Yahoo are only confirming it now, I’d be really interested in why the delay was so long," said Troy Hunt, a security researcher who runs the data breach notification website Have I been pwned?.
The user who advertised the Yahoo account data on an underground website uses the online handle peace_of_mind and is a well-known seller of stolen information. He has previously put up for sale millions of account records from MySpace, LinkedIn, Tumblr and other websites and for the most part those breaches have been confirmed even though they had actually occurred years earlier.
"We saw LinkedIn, MySpace and tumblr [data dumps] all dating back many years yet just appearing for sale now so Yahoo may be consistent with that," Hunt said via email.
Given Peace's track record, the researcher said that he wouldn't have been surprised that the data was put up for sale last month if it proved to be authentic, even though some people questioned whether Peace actually had the information at that time.
It's odd that no one has managed to obtain a copy of the data set so far and confirmed its authenticity, at least not publicly, especially since Peace is known to drop his price over time. Hunt believes that if this data dump follows the the same pattern as other recent ones, it will turn up in the public domain soon and he will be able to add it to Have I been pwned.
A confirmation of the data breach this week would come as Yahoo's US$4.8 billion sale of its core internet operations to Verizon is being finalized; the deal has yet to be approved by regulators.