A Russian hacker is allegedly selling a whopping database of 272 million emails and passwords for less than $1. That’s not a typo, and if it sounds ridiculous, it’s because it is, but more on that in a moment.
On Wednesday, cybersecurity firm Hold Security claimed to have obtained a cache of 272 million credentials from a Russian underground forum. Those apparently came from some of the world’s biggest email providers, such as Gmail, Yahoo, Microsoft and Russia’s Mail.ru, according to Reuters.
Predictably, the story quickly made the rounds and got picked up by several media outlets. Some took it with more alarmism than others. “Millions of passwords stolen from Google and Yahoo users in major security breach,” titled the Daily Mail. Fellow British tabloid The Sun went with “Cyber security alert as expert warns millions of Gmail, Hotmail and Yahoo email accounts have been hacked.”
But there’s actually no reason to freak out whatsoever. First of all, there’s no evidence that these credentials were actually stolen from those email providers. In fact, Mail.ru, after a first check of a sample of the data, has found that none of those email and password combinations work, according to a spokesperson.
There’s actually no reason to freak out whatsoever.
So what’s going on here? For starters, Hold Security itself admitted this is not really a data breach.
“It seems to be a collection of different breaches,” Alex Holden, the founder of Hold Security, told Motherboard.
Moreover, the hacker is clearly trying to inflate the number of credentials they have. Holden said the hacker passed his firm 1.17 billion credentials, but only 272 million were unique. And of those, only 42 million were credentials that the firm had never seen before.
Holden added that almost none of the passwords were encrypted. Also, the fact that all this data, which could lead to more hacks and identity theft if legit, was being sold for only $1 makes makes it even more likely that these are credentials culled and accumulated from older data breaches. Would-be hackers routinely put lists like these together to sell them to other hackers or spammers and make an easy buck (quite literally in this case).
”It's a non-event that's getting more headlines that the actual data warrants.”
“I really think it's a non-event that's getting more headlines that the actual data warrants,” Troy Hunt, a security expert who maintains the world’s largest free repository of data breaches, Have I Been Pwned, told me. “You know how much effort we go to in trying to figure out if breaches are legit or not, it feels like that hasn't happened here.”
Holden declined to share any of the data, saying that would not be “ethical.”
“Usually we avoid [doing] that in the off chance that somebody will get offended or upset about it,” he told me, adding that he hasn’t decided whether to put up a website where victims can check if their email is part of the cache.
Without seeing the actual data, it’s hard to know exactly where it came from or verify it in any meaningful way.
We live in an age where data breaches have become the norm. They’re so common we almost have become desensitized. But big numbers still attract headlines, and cybercriminals, wannabe hackers, and even security firms know that. There’s an incentive to inflate the extent of a breach, or to make it up completely—and that incentive exists for both hackers and security vendors.
Not every set of data that circulates online is a data breach and not every data breach is created equal. For the sake of internet users, we should all keep that in mind.
A Hacker Is Selling 272 Million Email Logins, But There’s No Reason To Panic
Aucun commentaire:
Enregistrer un commentaire