Kudos to Lawrence Abrams and Bleeping Computer for calling out Cybernews’ misleading reporting.
News broke today of a “mother of all breaches,” sparking wide media coverage filled with warnings and fear-mongering. However, it appears to be a compilation of previously leaked credentials stolen by infostealers, exposed in data breaches, and via credential stuffing attacks.
To be clear, this is not a new data breach, or a breach at all, and the websites involved were not recently compromised to steal these credentials.
Instead, these stolen credentials were likely circulating for some time, if not for years. It was then collected by a cybersecurity firm, researchers, or threat actors and repackaged into a database that was exposed on the Internet.
Read more at BleepingComputer.
Bleeping wasn’t the only one criticizing Cybernews‘ recent story that got picked up in many news outlets.
Cybernews’ “Stunt”
Over on Infosec.Exchange, Kevin Beaumont responded to Bleeping Computer’s article by noting that this was the second time Cybernews had “pulled this stunt.”
@JayeLTee responded, highlighting that sometimes it was very easy and fast to get leaks locked down but it appears Cybernews didn’t even try:
What’s even funnier is that some of the servers they are talking about were exposed for months, and they say they were briefly exposed. Some were exposed even after they published the article.
An email for the ISP abuse email and CERT.br for the one they mention with 679 million records, and the server was closed in a few hours. It was that hard.
Plus, all the other times they’ve made posts linking to data still exposed that I ended up closing like: https://databreaches.net/2024/09/26/massive-french-citizens-data-leak-exposes-95-million-records/
Multiple other examples of their misleading or irresponsible reporting, too many to name in a post
A Wake-Up Call for News Outlets and Media
Given others’ concerns about the accuracy of their reporting and failures to ensure that data is locked down before they report on it, DataBreaches will no longer be reporting or linking to any Cybernews reports of “discovered leaks” or breaches if they are not confirmed as such by reliable sources.
We hope other news outlets and media will also investigate the accuracy of Cybernews‘ claims of “discoveries” by their researchers so that they do not wind up just disseminating fake news like the recent “16 billion” story.
As much as I generally hate the phrase, “wake-up call,” Lawrence Abrams’ reporting really should be a wake-up call for serious journalists and news outlets.
Update: Probably in response to criticism by Bleeping Computer, Kaspersky, this site, and others on social media, Cybernews has been updating its post to provide more details and data samples. They even changed their headline from “16 billion credentials” to “16 billion passwords,” but still call this all a “record-breaking data breach.” It’s not “a data breach.” It’s not even “a gigantic leak.” It’s not a single anything. It’s 30 datasets from different servers and entities.
The additional data they provide seems to confirm how inaccurate and misleading their original claims were. They write:
None of the exposed datasets were reported previously, bar one: in late May, Wired magazine reported a security researcher discovering a “mysterious database” with 184 million records. It barely scratches the top 20 of what the team discovered. Most worryingly, researchers claim new massive datasets emerge every few weeks, signaling how prevalent infostealer malware truly is.
“None of the exposed datasets were reported previously, bar one” they write. That, too, is inaccurate. The NPD data is the National Public Data breach data that has been leaked previously on more than one site. So those data are not new and furthermore, the NPD data breach did not involve passwords at all, so that’s more than 743 million of their records that they include incorrectly in their count of 16 billion.
They also wrote, “Most worryingly, researchers claim new massive datasets emerge every few weeks, signaling how prevalent infostealer malware truly is.” ? Infostealer logs can be large, yes, but the data they are reporting are not all from infostealers.
Responding to their attempt to convince skeptics and critics, @JayeLTee also noted their misrepresentation of the NPD data, and then pointed out other misrepresentations in his commentary:
Even better now that Cybernews added the table names for the servers in the article.
NPD Data-1 & NPD Data-2: Didn’t even have passwords, let alone be Infostealer data, just a leak of the breach that happened some time ago; -743.5m legit logs.
people_stable_v3, an earlier version “people_stable” was exposed in late 2024, and it was a compilation of breached databases, even linked to each database and the year of the breach; Another -3.872b legit logs.
So, in just 4 indices, already over 4.5 billion records are just previous breached and leaked data. Multiple table names also directly point to Telegram extracts (ctionbudget, telegram_index).
And that’s how you hype up a post, folks.
It’s a shame when legitimate news outlets just repeat claims instead of insisting on more details and seeking evaluation of claims before repeating them.