Google and Yahoo have joined Mail.ru in confirming that of the millions of email credentials that were leaked online, over 98% are bogus. The tech giants investigated claims of the supposed breach and found that almost all of the accounts were invalid.
Mail.ru said that 99.98% of the data it analysed turned out to be invalid accounts. Of the listed data, the Russian provider found that 65% had incorrect password matches, 12% of the accounts were previously shut down by Mail.ru themselves and the remaining 23% didn't even exist.
A Google representative told Ars Techninca: "More than 98% of the Google account credentials in this research turned out to be bogus. As we always do in this type of situation, we increased the level of login protection for users that may have been affected."
Yahoo also issued a statement which reads: "Our security team has investigated and we don't believe there is any significant risk to our users based on the claims shared with the press. We always encourage our users to create strong passwords or, even better, eliminate use of passwords altogether by using Yahoo Account Key."
Data breaches are increasingly becoming one of the most popular and effective cybercrimes to affect individuals and businesses these days. On 4 May, reports emerged of 272 million email logins being hacked and put on sale on the dark web. However, a Russian email provider, also believed to be one among those breached, has claimed that none of its data has been affected by the "hack".
Security firm Hold Security was sent nearly 1.7 billion credentials by a Russian hacker, selling them online for less than $1 (£0.70). The data allegedly came from major global email providers like Google, Hotmail, Yahoo and Russia's Mail.ru. However, according to a report by Motherboard, Mail.ru, which accounted for 57 million accounts of the leaked data, has claimed that after conducting a check on a sample of the data, none of the email and password combinations were found to work.
According to cybersecurity researcher Troy Hunt, who runs the popular "Have I been pwned?" site, there is little or no evidence to suggest the data leaked was accessed by hacking into email providers. "You know how much effort we go to in trying to figure out if breaches are legit or not, it feels like that hasn't happened here," said Hunt. "I really think it's a non-event that's getting more headlines that the actual data warrants."
In fact, given the magnitude of the hack, it is highly likely that Google, Yahoo, Hotmail and Mail.ru would have informed their customers of the breach. Moreover, Hold Security has already confirmed that of the 272 million credentials found to be unique, only 42 million were those that were never seen before. This indicates that most of the data leaked may actually be from older breaches.
When dealing with potential cyberthreats like the recent alleged email hack, it is essential to keep in mind that tech providers are obligated to and usually do inform those affected by such a breach. In this case, given the absence of confirmation from the tech giants, it is likely that most users are relatively safe for the time being.