Last week a new data leak dubbed “Collection 1” appeared online, exposing 773 million hacked email accounts and their credentials. The leak was reported by security researcher Troy Hunt and subsequently picked up by major news outlets across the globe.

Understandably, a breach of this size is a cause for alarm. Digging deeper, however, one finds that this is an aggregated leak of previous breaches ranging from 2-3 years old. Speaking with Stan Bounev of VeriClouds, it was learned that over 90% of the data from Collection 1 already existed in his database. Similarly, Brian Krebs, who spoke with Alex Holden of Hold Security, reported that he previously gathered 99% of the data from this leak from other sources.

This isn’t the first time that an aggregation of leaked sources surfaced online. I wrote in December 2017 that “a more nuanced conversation is required to understand the risks that this interactive database poses to organizations” upon news of 1.4 billion compromised credentials being leaked and shared on the dark web.

Journalistic reporting on data breaches and generating FUD and hype about old news and previous breaches is a recurring theme of Troy Hunt and Have I Been Pwned (HIBP) that raises the specter of being compromised. The trend is even more disturbing after having several encounters with Hunt loyalists, including members of the press.

During a meeting last summer with a Director of Threat Intelligence and Incident Response of a major US technology corporation, a comment was made that “I don’t know of any white hat security researchers other than Troy Hunt.” More troubling was an email I exchanged with a journalist from a prominent technology news outlet. Upon offering to brief him on modern credential-centric threat intelligence capabilities, he replied: “If it’s not from Troy Hunt, I don’t trust it.” He later blocked me on Twitter after I pointed out what a closed-minded thing to say that was and that it wasn’t the sort of view I would expect to hear from a prolific journalist.

 Are fixed mindsets and personal biases affecting the quality of journalism today?

Source link