Yahoo is investigating claims that a hacker has breached 200 million user accounts and put them up for sale on the dark web.
The hacker who claims to be behind the attack is 'Peace', who has been involved in several other high-profile data releases, as first reported by Motherboard, which claims to have heard of the leak from Peace directly.
Yahoo confirmed that it is investigating the claims. "We are aware of a claim. We are committed to protecting the security of our users' information and we take any such claim very seriously," said a statement from the company.
"Our security team is working to determine the facts. Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and to use different passwords for different platforms."
James Romer, chief security architect for Europe at security firm SecureAuth, explained that the latest risk to user credentials proves that passwords remain the weak link in online security.
"This year has seen a huge number of compromised user credential breaches from big companies. Last week it was O2. But LinkedIn, Twitter and the National Childbirth Trust all appear on the hit list," he said.
"It's estimated that around 60 per cent of fraudulent cyber crimes are committed using stolen credentials, and we say time and again that having a simple password and username log-in process is just not enough with the advances in cyber crime and the increasing value of personal data.
"What will it take for businesses to stop this reliance on simple username and password credentials for authentication? We already see banks making a move to voice authentication as a way of eradicating the need for security questions and passwords, and it is imperative that more organisations take this lead and look to employ unique identifiers based on user behaviour which cannot be replicated, rather than passwords which we know are so open to fraud."
Brendan Rizzo, technical director for EMEA at HPE Security, said the incident underlined the lengths hackers will go to in order to get the data they want, meaning all users should be on their guard.
"Data has high value to attackers and, even though the information for sale on the black market is several years old, it can still be used for social engineering attacks to attempt to gain access to deeper systems with even more lucrative data that can be monetised directly if stolen," he said.
The report of the Yahoo breach won't be good news for Verizon, which just agreed to pay almost $5bn for the firm.
Just spent a year working on them? Too bad, Intel's lost interest
Sony factory in Wales now making 100,000 Raspberry Pis every week
38-year-old Alexander Vinnik faces up to 55 years in jail
Threadripper also available from today if you want a lot more power - but you'll have to wait for the motherboards to appear