In August, Yahoo told Motherboard that it was "aware of a claim," but didn't deny a data breach. Peace replied that "they dont [sic] want to confirm well better for me they dont [sic] do password reset."
Peace also claimed to have "been trading the data privately for some time" before deciding to sell it. Users who want to protect their accounts should log in to Yahoo.com immediately and take the option to reset their passwords.
Motherboard checked two dozen account credentials supplied by Peace, and discovered that the usernames did correspond to Yahoo accounts. Yahoo apparently protected its user passwords with the MD5 hashing algorithm, for which the first weakness was found in 2005. No company should have been using the algorithm in 2012.
RELATED: What Your Co-Workers Are Really Saying in That Email
Yahoo is currently trying to sell itself to Verizon, and Recode speculated that news of a massive data breach could sent Yahoo stock tumbling, lowering the cost for Verizon.
Yahoo users who want to protect their accounts should log in to Yahoo.com immediately and reset their passwords. If Yahoo doesn't prompt you to do so, then visit Yahoo's Set a new password page and change the password manually. Users can also use Yahoo Account Key, which eschews passwords in favor of using the Yahoo mobile app to turn smartphones into authentication devices.
As we say every time we report on a massive server breach, never, ever, recycle passwords. If your email address and password have been available on the black market for months, along with a secondary email address, you better not have used those same credentials for online banking or other highly valuable accounts.
Get more from Toms Guides
Copyright 2016 Toms Guides, a Purch company. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.