This Monday the pretty well known hacker who goes by the name "Peace" and was responsible for LinkedIn and Myspace breaches; started advertising a massive dump of yahoo user information. This data includes Email, hashed passwords, personal info and secondary email addresses. The hacker told motherboard, who broke the story, that he had been already been selling the data privately for weeks and is just now making it available to everyone.
A yahoo spokesperson said: We are aware of a claim. We are committed to protecting the security of our users' information and we take any such claim very seriously. Our security team is working to determine the facts. Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms.
Peace told Motherboard, “well fuck them they don't want to confirm well better for me they don't do password reset.” Typical good practices in this case would be for yahoo to do a password reset on all users but I speculate that they don't want to confuse and burden their primarily older user base.
He is selling the data for 3 Bitcoins, or around $1800 on the Tor-accessible marketplace called "The Real Deal". Motherboard purchased 5000 of the account credentials before it went public and found that some worked but most did not. Reporting that some of the data seems to be as old as 2012 pointing towards this being a connection of older data dumps being repackaged. Either way Yahoo needs to respond in the correct manor here and reset all use accounts.