The ‘16 billion password breach’ story is a farce
Supposed experts and mainstream media have spent the past few days hyperventilating over reports of a colossal data breach that exposed more than 16 billion credentials — a level of theft that should have defenders clutching their pearls. There’s just one inconvenient detail: the original report is curiously short on anything resembling actual evidence to support its sensational claim.
Attacks that affect billions of accounts often generate headlines and get the industry talking about ways to prevent the attack from repeating itself. Yet, the story Cybernews published Friday, which has been picked up and repeated across all manner of media in the past few days, has engendered eyerolls from cybersecurity experts for its extraordinary, dubious conclusions.
The firehose of content frames the exposed credentials as recent, singular and ultimately the largest data breach in history. Multiple incident response specialists, researchers and cybersecurity experts who spoke with CyberScoop either outright disputed those claims or questioned the data and analysis the assertion was based upon.
“These massive dumps have been announced for years, and they are always a recycled pile of credentials with a few new ones sprinkled in,” said Chester Wisniewski, director and global field CISO at Sophos.
The entire ordeal is yet another example that the business interests of cybersecurity feed on fear — both perceived and real. Stories like this often spread like wildfire because they speak to real issues and a perception that has set in across the industry.
Even if the details of Friday’s story are blown out of proportion, credential theft is a real and omnipresent threat. Credential abuse was the top initial access vector for breaches last year, according to Verizon. Infostealers were used to steal 2.1 billion credentials last year, accounting for nearly two-thirds of 3.2 billion credentials stolen from all organizations, Flashpoint said in a March report.
Yet, the limited evidence — just three screenshots — provided by Cybernews and Bob Diachenko, who is credited with “discovering” the credential breach, is a crucial sticking point. When reached for comment, Diachenko admitted that the data was cumulative records discovered since the beginning of the year and not reflective of a singular data breach.
“None of our CTI sources were able to verify that this is anything new,” and there are no raw files or verified feeds for researchers to sift through, said Rob Lee, chief of research and head of faculty at SANS Institute.
“In the intelligence world, we can’t have hyperbole,” he said. SANS isn’t invalidating the report entirely, but Lee noted: “This doesn’t pass a sniff test.”
Cyber threat intelligence relies on deep information broadly shared across the industry. Data or conclusions that aren’t actionable don’t help the community move things forward, Lee said.
Other experts had similar sentiments.
“What we’re seeing is not a singular, headline-grabbing breach at a major tech company. This cache of around 16 billion credentials reflects around 30 separate databases, stealer logs compiled over years — lots of overlap, much of it old,” said Christiaan Beek, senior director of threat analytics at Rapid7.
The result is a “recycled, inflated dataset to generate fear,” Beek said. “Infostealer malware continues to collect credentials constantly, and these aggregated dumps get recycled and reissued on various forums or platforms.”
The impact of what’s contained in the dataset, something Beek described as a “fearset,” depends on which part of the data is new or used.
Allan Liska, threat intelligence analyst at Recorded Future, drew the same conclusion. “By comparing released sample data against previous credential leaks we can see that most, if not all, of these credentials were from previously released password dumps. Some going back years,” he said.
“Given the formatting of the leak, it’s likely these were all from previous infostealer campaigns. There is no one campaign that they are tied to; instead, the passwords were collected from hundreds of different campaigns,” Liska said.
Exaggeration begets complacency
In an industry rife with real, indisputable problems, experts warned that misinformation or embellishment can be a disservice. At the very least, it deflects or draws attention away from verified attacks.
“Crying wolf does lead to complacency,” Wisniewski said.
Said Liska: “When headlines like these take up all the oxygen in the room, it’s harder for real security stories to garner the attention they need.”
“The real lesson that should be learned from this is the pervasiveness of infostealer malware and how people and organizations should be protecting against this type of malware,” he continued. “The fact that someone was able to put together 16 billion records from, essentially, table scraps shows how big that problem is.”
While the report’s findings are questionable, it’s not a stretch to assume most credentials have already been stolen in one form or another. Passwords haven’t been fit for purpose for a long time, and stories like this underscore the importance of multifactor authentication and passwordless authentication methods.
“Any time we can focus the public’s attention on online hygiene, we should take the opportunity,” Wisniewski said. “People are under the mistaken belief that it can’t, won’t or hasn’t happened to them, and these stories highlight that it is happening to all of us and action is required.”
The hasty communications trap
What has made the situation even more damaging is that many cybersecurity companies responded to the story as a marketing opportunity for their products or a chance to insert executive commentary into the news cycle. Dozens of companies have reached out to CyberScoop to comment on the story over the past few days, accepting it as fact without investigating further internally or waiting for third-party experts to validate.
Password manager Keeper Security posted commentary on LinkedIn describing “the largest password leak in history” as “confirmed,” repeating the claim that 16 billion credentials from major tech platforms, including Google and Apple, were exposed.
Keeper Security said it has a standing policy of not commenting on any specifics of any attack without adequate information and stood by its commentary.
A Google spokesperson told CyberScoop the issue did not stem from a data breach. Apple did not respond to a request for comment.
Communications in security in particular is “so driven by FUD (fear, uncertainty and doubt) and ambulance chasing, and I think that’s what you see with this story,” Kaylin Trychon, CMO at Edera, told CyberScoop.
“We have to be just as much a subject matter expert as we can be in this space, especially in a space where information and validating it is so critical,” she said. “It’s a really important job as a communications person to know when to say no, to know when to say this is not our fight, this is not a moment for us to capitalize on right now.”
Speaking about communications issues at large — not any specific company or executive’s reaction — Trychon said details are everything in intrusions or data breaches. People who comment too early run the risk of being incorrect, which may impact their expert status, Trychon said.
“Just because your name could be out there and the company brand could be out there, is not worth it if we get it wrong,” she said. “You didn’t have to say anything, and sometimes saying nothing is the best thing that you can do.”
