Journalists, please read this before reporting on passwords leaks
Last week we had a bit of excitement in the security world — at least you’d think so by reading all the headlines. After all, most of us use Gmail, Hotmail, or Gmail and it’s unsettling knowing your account password might be compromised.
The problem here is that all too often the headlines are terribly misleading and too many people just see the headlines and never the article.
In this case, we find out that one guy made an unsubstantiated claim that he found someone selling compromised accounts on an underground forum. After reading more, we learn that these aren’t recently stolen accounts, but rather a collection of passwords from other hacks, possibly going back years. Chances are the large majority of these passwords are quite old, widely-traded, and mostly invalid.
Obviously these headlines are more sensational than actual news. Being a writer myself I know how it feels to submit a story and have some editor change the headline to something more exciting, although far from accurate. So I can’t just blame the journalists, although they all clearly ran with a poorly sourced and completely unconfirmed story. In fact, it seems that most of the stories are referring to the Reuters and other publications as their only source.
It turns out that even Hold Security, the company that discovered the passwords, claims that only 43.5 million of those 272 million accounts were unique credentials they hadn’t seen before. Furthermore, Dan Goodin of Ars Technica reported that 98 percent of the GMail accounts turned out to be invalid and 23 percent of the Mail.ru email addresses listed didn’t even exist.
It seems this password dump wasn’t that big of a deal after all.
Here are some real facts journalists should know before reporting on these types of stories:
- Hundreds of millions of passwords are floating around on the internet, although the majority of these are so old and so widely-traded that they’re likely invalid. It’s pretty easy for anyone to put a bunch of old passwords together and release it to the world. I did this myself. This is how I found them.
- Most of the largest internet companies do monitor password leaks and cross-reference these with their own userbase, notifying individual users as necessary. Most passwords floating around the internet have already been reset.
- Password leaks often contain GMail, Hotmail, and Yahoo email addresses but that doesn’t mean these services got hacked. Most likely the breach occurred on smaller sites where people signed up with their GMail, Hotmail, or Yahoo email accounts.
What might also be helpful to journalists (and your editors) is to clarify some basic terminology:
- Hack or Breach — This means that someone circumvented the security of an organization and gained access to sensitive information. By saying in your headline that a company got hacked you are claiming that a someone compromised their security, which often is not the case.
- Steal — This is the process of taking something like data, without permission, from someone who owns that data. Other words that mean the same thing are nab, loot, or swipe.
- Leak — This is when a company’s private data is made accessible — or leaked — to the public.
- Dump — This is raw data that a hacker dumps on the internet for others to download. A dump may include one leak or possible aggregated data from hundreds of leaks gathered over the course of several years.
Now knowing this, some of you journalists no doubt see how misleading and flat-our wrong your headlines were. A more accurate headline would have been Security firm claims to have obtained a password dump collected by some Russian over the years, but 98% of them aren’t even valid. But that doesn’t seem as exciting. You know why? Because it probably wasn’t news worth reporting in the first place.
The short URL for this article is https://xa.to/3v
