In the last few weeks, we've seen a lot of supposed mega hacks garner big media attention. And why not? We're talking about more than 1 billion people at risk - if these breaches had been real and current. But that's not the case.
The strange thing is that I'm not really upset about this. Normally, I get incensed when I see the media get security stories wrong. But the greater good in the security business counts for something, and it just may be that these overhyped breach stories led a lot of people to take the simple steps they need to follow to increase the security of their accounts.
The latest mega hack story that was misrepresented wasthe compromise of 117 million LinkedIn accounts. You can find stories about it on just about every major news site. Stories were posted on Facebook accounts. Clearly this must have been a significant hack that people needed to know about.
But the hack actually occurred four years ago. What is supposedly news is that a hacker is offering the 117 million account credentials garnered in that old breach for sale in criminal forums on the dark web. In theory, all of those passwords should have been changed long ago. In reality, a lot of them weren't, so some accounts are still at risk - just not anywhere near 117 million of them.
Earlier this month, we had a report that 272 million accounts had been hacked, and a Russian hacker was selling all of the credentials for less than $1, primarily for the notoriety. The credentials were for accounts at almost all the major Internet sites, including Yahoo, Gmail and Hotmail. All the major news venues reported on the hack and issued urgent warnings for people to change their passwords. That was actually awesome from a security perspective.
But the hack was described as hype within two days. One website stated that 99.9% of the compromised credentials were invalid.
The largest mega hack that wasn't in the last month was of Pwnedlist. In this incident, 866 million accounts were supposedly compromised. Pwnedlist is a site that was maintained by InfoArmor as a public service designed to help companies track public password breaches that may create security problems for their users.
In this case, a valid user of the site performed parameter tampering and was able to search for any domains or accounts listed on the site. A breach involving 866 million credentials certainly sounds awful. But all of the credentials available in Pwnedlist are there precisely because they have already been flagged as compromised. How do you compromise compromised credentials? There really was no increased risk for the accounts in question. It would have been better if the vulnerability had not existed, but that is a very different story from 866 million accounts being freshly compromised.
Sign up for CIO Asia eNewsletters.