12 quadrillion email addresses hacked! - Fear in advertising

A few days ago, a story first took common IT portals by storm and then spread to big media outlets like wildfire: 1.2 billion email account credentials had supposedly been offered for sale at ridiculously low prices. The focus was on Russian users but it was a world-wide issue. What made my pulse skyrocket and sounded like another data leak may have been something else entirely.

That user credentials are sold in the darker corners of the web is old news. Usually, email addresses (in the millions) will be anonymously sold either with or without associated passwords, payment is made through digital Bitcoins. Victims will either find themselves the target of SPAM mails or their access data being used for other purposes such as shopping sprees on Amazon or Ebay since many users only use a single password for multiple online services.

The story published in the blog of a security company could have been taken right out of a bad movie: A Russian nerd, still in school, had spent his days gathering user data from various places. He allegedly didn't do any hacking but had simply compiled data sets from numerous dubious sources. For his efforts (roughly 1 billion users are really something) he requested adequate payment: 50 rubles, around 75 cents. It was this aspect that made me suspicious since I had heard a lot about hackers but never that they were stupid or modest.

Which is why I did not enter my email address at an online site claiming it would check whether I was affected. Maybe dozens of email addresses were just collected this way? Time for glorious paranoia. With my pulse back to normal, I simply waited. Once duplicate entries were removed, 1.2 billion users quickly turned into 272 million, still a considerable amount. Soon afterwards, the remaining addresses were validated by affected email providers - and the data turned out to be useless entirely. Obsolete, already blocked or freely made up. But the news had already reached the media and probably left many with a feeling of uneasiness. You may remember the name Hold Security, IT security experts and authors of the story.

As is the often the case, the big data leak and supposedly huge threat quickly turned into a paper tiger. This reminds me of an old advertising strategy - spreading fear. Viruses are frequently reported first by anti-virus software developers always including catastrophic prognoses and the subtle hint that, naturally, their software could already detect the bad guy. Without milk, our bones will fall apart is what dairy food lobbyists would make us believe while the next wave of the flu might kill all of us anyway, according to vaccine companies. The future will be a disaster unless we vote for the one party that can solve all of our problems. Fear makes us listen and open our wallets. Fear is perfect to attract attention.

Can all of that be proved? Not really but it pays to be critical. Eerily familiar bad news are as certain as bad weather, same information, same sources, varying layouts. Does this mean you shouldn't be concerned? Certainly not. But if you use strong enough passwords (sorry, 1234 won't cut it), change them regularly and not just use the same password for all of your services you don't have to break out a sweat every time one of these stories comes up.