Over the past week, many media outlets have reported that hackers obtained 272 million username and password combinations - putting at risk users of Gmail, Yahoo, Hotmail, and several overseas online services. The news was initially reported by Reuters with a headline: "Big data breaches found at major email services," and was followed by numerous reports in other media. Reuters even noted that the present leak was "one of the biggest stashes of stolen credentials to be uncovered since cyber attacks hit major U.S. banks and retailers two years ago," and that the credentials that leaked included those for 40 million Yahoo accounts, 33 million Microsoft accounts, and 24 million Google accounts.
A leak of such magnitude obviously sounds extremely serious, and you might wonder why I did not cover this seemingly important news in my column, or mention it on social media until now. The answer is simple: since I first heard the story I have not believed it to be accurate. In fact, had I not been asked about the leak by multiple people, and, as a result of discussions with editors at Inc. decided to look into this matter further, I would probably not have even written this piece.
During the time that I was looking into the aforementioned "breach," several other journalists, columnists, and media venues expressed distrust of the original news, and some of the organizations whose passwords had allegedly leaked have denied that the vast majority of the stolen passwords were real; at least one such operation even accused the cybersecurity company that disclosed the leak of creating a panic for publicity reasons.
So, did passwords leak? Is there risk to consumers? What should people be doing?
Here is what seems to have happened - and what you need to know.
Reuters' source for the information in its original piece was Alex Holden of Hold Security, with whom I spoke earlier this week. According to Reuters, Holden obtained the cache of data from a hacker who asked for "just 50 rubles - less than $1 - for the entire trove," but who ultimately "gave up the dataset after Hold researchers agreed to post favorable comments about him in hacker forums," or, as was described on Hold's website, and as Hold told me when we spoke, the hacker ultimately demanded that Hold personnel only "add likes/votes to his social media page."
You read that correctly: the hacker demanded less than a dollar for 272 million passwords, and ultimately agreed to give away the data for free. (The hacker, who Holden told me comes from a small town in central Russia, actually claimed that he or she had more than 272 million passwords - 272 million is the figure that Holden said was left after removing duplicates and other problematic records.)
It should be obvious to anyone with an even rudimentary knowledge of how hackers operate that if a hacker is attempting to sell a huge trove of data for orders of magnitude less than he or she would be able to get for it on the dark web - and then agrees to give away all of the data in exchange for some comments in a hacker forum or for social media likes, that the data is likely of questionable value at best.
Holden told me that he recognized this as being the case, and that he told all involved that much of the data might be outdated or incorrect, but that within the huge volume of data it was likely that there were some credentials that were still valid. Furthermore, since many of the usernames within the collection were email addresses, and the collection was circulating among hackers, people whose usernames appeared in the collection may face escalated risks of being targeted with spam and phishing emails.
Holden also told me that the data consisted of username-password combinations - but lacked details specifying to which systems the credentials actually belonged. As such, Holden claimed, even if the passwords that appear to be Gmail passwords, for example, are invalid for accessing Gmail and other Google resources, they may be valid for gaining access to other systems. Since people reuse passwords between systems, Holden pointed out, even if a password was changed at Google it may still be valid elsewhere. Furthermore, according to Holden, even if only a small percentage of the passwords are still "live," with a collection of 272 million entries that still translates to a large number of people being at risk.
While Holden is right in theory, it is difficult to know how right he might be in reality -- one cannot, practically speaking, test every username-password combination against every possible system to which they might belong. In any case, however, the risk implied by the Reuters headline and other portions of the article appears to be severely overstated: "Big data breaches found at major email services" seems to indicate that major email providers themselves were hacked -- and there is no indication that this is the case, and, as explained before, the figures of 40 million Yahoo accounts, 33 million Microsoft accounts, and 24 million Google accounts may also be completely wrong - the passwords may not even be for those systems.
Much of the coverage of the password leak in the media also seems to focus on the fact that a whopping 272 million passwords are now exposed -- without adding enough weight to the point, that, if Holden's conversation with me reflected what he told others, even the person who first reported the leak does not believe that anything more than a very small percentage of the collection actually represents valid passwords.
I am not sure where the miscommunication occurred, but the headline of the article on Holden's website -- "HOLD SECURITY RECOVERS 272 MILLION STOLEN CREDENTIALS FROM A COLLECTOR" -- while technically-speaking is true, may have contributed to the confusion.
As the various parties involved began to test the passwords that Holden supplied them they issued statements. Yahoo has stated "our security team has investigated and we don't believe there is any significant risk to our users based on the claims shared with the press." Google contends that "more than 98% of the Google account credentials in this research turned out to be bogus. As we always do in this type of situation, we increased the level of login protection for users that [sic] may have been affected." Not to be outdone, Mail.ru - one of the foreign providers whose credentials allegedly leaked - noted that 99.98% of the Hold-supplied data was from invalid accounts. Still, Holden told me that even if these statements are accurate, the leak still poses risks for the reasons mentioned above.
Many have been critical of Holden's handling of the case. Mail.ru even stated that: "it is fair to assume that the sole purpose of issuing the report was to create media hype and draw the public attention to Holden's cyber security business." Only Holden and those at Hold Security can know for sure, but they did not enhance their case by beginning their article by stating "The business of recovering stolen credentials is not as simple as it would seem. We have set records before, initially with the Adobe user database including 153 million records, then with 360 million recovered in February 2014, and finally with 1.2 billion credentials in the most substantial breach known to-date."
Of course, it is possible that some of the passwords remain valid at some sites -- and, because Holden has not yet made available to the public any tool for people to check if their passwords are within the collection - and since he obviously will not and should not release the database to the public - there is little that anyone can do to check.
But the key issue that arises from the way this leak was handled isn't just a matter of potential exaggerations or questionable journalism: It's a matter of information security.
Information security professionals, and media covering information security stories, must be careful not to sensationalize risk. Any falsehoods or exaggerations can transform an expert into the "boy who cried wolf" and convince the public that the media is alarmist - and cause people, therefore, to ignore genuinely serious issues. Due to how the present story was reported, many people are not recognizing that there may be real risk to some people from the present leak. Even more significantly: what if there actually were a breach at Yahoo, Gmail, or Mail.ru that happened today and Hold Security was the source that discovered it (which it might very well do, considering that the firm does look for password leaks)? How many people and media venues would simply ignore his warnings? Imagine the impact on the economy and national security if, when major information-security vulnerabilities are found, people choose to dismiss the alerts as mere marketing.
What should business owners do now? In terms of the major email providers - don't worry, unless you hear from Google, Microsoft, or Yahoo that there is something for you specifically to worry about. There is a reason that these firms are not issuing warnings en masse about Holden's discovery. If Holden does create a tool for consumers to check if any passwords leaked for any particular email addresses, it would be worth checking yours; for now there is no way to do so.
But, perhaps most importantly, don't discount future reports of leaks just because this one seems to have been grossly exaggerated. Remember: Even if a cybersecurity firm and/or a major media outlet seems to have cried wolf this time, all cybersecurity experts agree that there are many real wolves out there -- and they are dangerous.