A significantly large amount of the 272 million credentials that formed part of a supposed e-mail breach that grabbed headlines last week are incorrect.
Australian security expert Troy Hunt says it is unclear where the data came from or who created it.
He says long lists of usernames, passwords and e-mail addresses exist on the dark Web, where they are traded by hackers for money or favour. However, the credentials on these lists are not always valid.
"Getting your facts right before declaring a major data breach is really important."
Media hype erupted after security company Hold Security released a report detailing how it recovered millions of stolen e-mail usernames and passwords from a hacker.
The stolen information supposedly came from popular e-mail providers Gmail, Yahoo, Microsoft and Naspers-owned Russian e-mail service, Mail.ru.
Mail.ru (which accounted for a majority of the accounts on the database), has said in a statement its analysis of the database shows 99.9% of the credentials to be invalid. Most had incorrect passwords or used fake e-mail addresses.
"The database is most likely a compilation of a few old data dumps collected by hacking Web services where people used their e-mail address to register," says the company.
Hunt says there are a few unusual factors about the database.
"It is unlikely really large mail providers would lose such a large amount of data and not tell users about. It is also highly unlikely these companies would store their data in plain text."
Hunt says the dataset released last week is almost inconsequential as there are a lot of similar automated lists on the Web. These are often collected from third-party Web sites with poor defence systems.
Have I been pwned?
Hunt runs a Web site that maintains a repository of data breaches. Typing an e-mail address into haveibeenpwned.com allows users to check if their information is listed in any one of the data breaches on the site.
The site is often incorrectly linked to by media outlets, even when the data breach is not listed there.
This was the case with last week's breach. Hunt says he had over 400 000 people visit his site on Friday after the news broke. The site normally gets an average of 10 000 to 20 000 hits a day.
The 272 million supposed hacked credentials released by Hold Security are not listed on Hunt's site.
Hunt told ITWeb there are a myriad of checks and processes the site undertakes to check if the breaches are legitimate. He detailed the process in a recent blog post.
Housekeeping
Even though the dataset may not be cause for concern, it is still a good time for users to change their passwords and think about where they have reused the same credentials, says Hunt.
He says the mail account is probably the most valuable to one's Internet presence, as it links to all other Web sites and bank accounts. It should therefore have its own unique password. He also recommends multiple-step accreditation.
Thefts of personal information or financial losses can result from hackers breaking into other accounts relying on the same credentials.
Hackers know users cling to favourite passwords, says Hunt. Attackers will reuse old passwords found on one account to try to break into the other accounts of the same user.
Share