Teacup Tempests

A recent data breach scare highlights the importance of carefully evaluating news reports of data breaches before reacting. Reuters (followed by many others) broke a story relating how 272 million account credentials – including Gmail, Microsoft and Yahoo! Email – had been exposed. “Change your password now!” read the headlines. Time to react, right?

Or not. A closer look revealed that the breach had been reported by a little-known company named Hold Security, who had gotten the information from a young hacker who had offered to sell the list of compromised credentials for less than $1! Some sample checking of the list revealed that most of the credentials no longer worked, and were likely just an amalgamation of data from older breaches.

Responses promptly generated by Gmail and Mail.ru (one of the largest email providers in Russia) reported that more than 98% of their respective email accounts reported were bogus.

This turn of events raises the question – how does one tell the difference between a valid breach report and “much ado about nothing,” as this recent one has turned out to be? The answer, as normal in things related to security, is to be diligent, research the matter, and be wary of security stories originating from general news outlets. Well-respected sources of security information will always research new breach reports before generating headlines about them.

The best approach is to respond quickly – by carefully researching any new report of a potential threat when it comes out, but not to react (or overreact) until it has been verified via trusted sources. Sites such as SANS and ARSTechnica tend to be more sober and deliberate in their reporting. Also, unless the breach affects you directly, it’s best to wait for a couple of days to see how the security community responds. They will always either confirm the problem, or sometimes (as in this case) tear it down.