Why not all data breaches are created equal, and why not data leaks are actually breaches.
Image: gorbach elen/Shutterstock
A Russian hacker is allegedly selling a whopping database of 272 million emails and passwords for less than $1. That's not a typo, and if it sounds ridiculous, it's because it is, but more on that in a moment.
On Wednesday, cybersecurity firm Hold Security claimed to have obtained a cache of 272 million credentials from a Russian underground forum. Those apparently came from some of the world's biggest email providers, such as Gmail, Yahoo, Microsoft and Russia's Mail.ru, according to Reuters.
Predictably, the story quickly made the rounds and got picked up by several media outlets. Some took it with more alarmism than others. "Millions of passwords stolen from Google and Yahoo users in major security breach," titled the Daily Mail. Fellow British tabloid The Sun went with "Cyber security alert as expert warns millions of Gmail, Hotmail and Yahoo email accounts have been hacked."
But there's actually no reason to freak out whatsoever. First of all, there's no evidence that these credentials were actually stolen from those email providers. In fact, Mail.ru, after a first check of a sample of the data, has found that none of those email and password combinations work, according to a spokesperson.
There's actually no reason to freak out whatsoever.
So what's going on here? For starters, Hold Security itself admitted this is not really a data breach.
"It seems to be a collection of different breaches," Alex Holden, the founder of Hold Security, told Motherboard.
Moreover, the hacker is clearly trying to inflate the number of credentials they have. Holden said the hacker passed his firm 1.17 billion credentials, but only 272 million were unique. And of those, only 42 million were credentials that the firm had never seen before.
Holden added that almost none of the passwords were encrypted. Also, the fact that all this data, which could lead to more hacks and identity theft if legit, was being sold for only $1 makes makes it even more likely that these are credentials culled and accumulated from older data breaches. Would-be hackers routinely put lists like these together to sell them to other hackers or spammers and make an easy buck (quite literally in this case).
"It's a non-event that's getting more headlines that the actual data warrants."
"I really think it's a non-event that's getting more headlines that the actual data warrants," Troy Hunt, a security expert who maintains the world's largest free repository of data breaches, Have I Been Pwned, told me. "You know how much effort we go to in trying to figure out if breaches are legit or not, it feels like that hasn't happened here."
Holden declined to share any of the data, saying that would not be "ethical."
"Usually we avoid [doing] that in the off chance that somebody will get offended or upset about it," he told me, adding that he hasn't decided whether to put up a website where victims can check if their email is part of the cache.
Without seeing the actual data, it's hard to know exactly where it came from or verify it in any meaningful way.
We live in an age where data breaches have become the norm. They're so common we almost have become desensitized. But big numbers still attract headlines, and cybercriminals, wannabe hackers, and even security firms know that. There's an incentive to inflate the extent of a breach, or to make it up completely—and that incentive exists for both hackers and security vendors.
Not every set of data that circulates online is a data breach and not every data breach is created equal. For the sake of internet users, we should all keep that in mind.
UPDATE, May 6, 11:06 a.m. ET: After analyzing 57 million Mail.ru credentials from the alleged breach, the Russian email provider concluded that 99.982% of those are "invalid," according to a spokesperson.
"22.56% of the database entries analyzed contain email addresses that do not even exist, 64.27% contain wrong passwords, and some of the entries (0.74%) have no passwords whatsoever. The 12.42% remaining accounts had already been marked as suspicious by Mail.Ru (which means that our system considers those either hacked or controlled by a robot) and blocked," the company wrote in a press release. "Only 0.018% of username/password combinations in the sample analyzed might have worked. We have already notified the affected users to change their passwords."
In light of their analysis, Mail.ru concluded that the database found by Hold Security "is most likely a compilation of a few old data dumps," and that "it is fair to assume that the sole purpose of issuing the report was to create media hype and draw the public attention to Holden's cyber security business."
In response to Mail.ru's analysis, Holden pointed out that him and his company had already acknowledged that they had already seen "most of the data," but also defended his company's intentions.
"I do not see why our report of a Russian hacker gathering an incredible number of stolen credentials and giving it away to fellow hackers (or security researchers posing as hackers) is being attacked by the same services that we are trying to warn and help to protect?" Holden said in an email to Motherboard. "I also did not see any comments in the statement about spam and phishing campaigns that could have affected these stolen email addresses."
UPDATE, May 9, 10:52 a.m. ET: Google has analyzed a batch of credentials from the 272 million and found that the overwhelmingly vast majority of them are not working, according to a company spokesperson. Almost all the credentials were a combination of invalid combinations of usernames and passwords, and some usernames didn't even exist.
"More than 98% of the Google account credentials in this research turned out to be bogus," a Google spokesperson told Motherboard. "As we always do in this type of situation, we increased the level of login protection for users that may have been affected."
Holden told Motherboard that there were 23.78 million credentials with user id "@gmail.com."