The Giant Email Hack That Wasn’t
On Thursday, a Reuters report described how hackers were peddling some 272.3 million usernames and passwords for unsuspecting users’ email accounts, raising concerns of yet another major data breach at a time when cybersecurity sensitivity is at an all-time high.
Ensuing stories suggested the information had been pilfered from popular consumer services including Gmail, Yahoo Mail, and Russia’s Mail.ru. By Friday, though, the services themselves (as well as independent analysts) concluded that the situation was not quite what it seemed.
The data stash was not the product of a large-scale hack of some of the world’s biggest email platforms, they argued. Instead, it seems to have been drawn from a variety of less secure third-party sites over a long period of time and subsequently aggregated.
What’s more, most of the stolen credentials were invalid.
Get Data Sheet, Fortune’s technology newsletter.
Yahoo (YHOO) has issued a statement denying that it was hacked, as did Mail.ru, Russia’s biggest email provider. Google (GOOG) told Ars Technica that 98% of the Google user data in the database was “bogus.” Mail.ru’s analysis found that 22.56% of Mail.ru email addresses in the database did not exist, another 64.27% were matched to incorrect passwords, and the remaining 12.42% had already been identified as compromised. Only 0.018% of the email-password combinations, the company said, were correct and current.
The original report, from a firm called Hold Security, actually made clear that the database was a “collection of multiple breaches over time,” which explains why most of the data was outdated and most passwords incorrect. These sorts of collections of many smaller hacks are widespread on the so-called dark web, where low-level hackers offer to sell the usually not-very-useful data for small sums. The compiler of this particular database was asking for $1, which Hold said was a red flag about the quality of the data.
For more on cybersecurity, watch:
Though Hold Security was clear from the outset about what it had found, critics, including at Ars Technica, say the company should have done more to cool down the media response. Troy Hunt, who runs a large database of compromised login data, has questioned whether Hold Security CEO Alex Holden should have done more to verify the data before going to the press.
The knee-jerk reaction to the incident may have been too severe, but there remains a real lesson to draw from the situation. Some of the accurate email-password combinations found in the data cache probably came from users who re-used their email passwords on other sites.
So, in case you needed to be reminded, don’t do that.