So, I've now seen this in two different places. Count me very skeptical, based on a look at the data that is circulating on pastebin. Thread time. 1/?

It's not impossible that a big data breach would happen and lists of credentials would get thrown out on the Internet. In fact it's pretty common, and then those lists get added to the lists used by pen testers and criminals.

When these things get thrown out, one of the things you might have to do, if this is your job (and it's been mine in the past) is see if folks from your employer are on the list. If they are, you tell 'em to change their password and look to see if a compromise happened. 3/?

In the movies this stuff is made to look easy, and snappy, and cool, but it is in fact time consuming and labor intensive. (I sometimes get irritated by how cool TV and movies make this look, but then I think of what Brett Shavers wrote.) 4/? https://www.brettshavers.com/brett-s-blog/entry/working-in-dfir-is-glamourous-but-only-to-those-not-working-in-dfir

When you're doing due diligence on this, you will want to check to see if the creds on whatever list have been circulating for a while, so you don't contact someone and get them worried when it's about a breach that happened long ago. 5/?

Now, sometimes people are stupid, and keep using a set of creds that is circulating, so you might still want to check
with that person. But generally, if a set of creds was tossed out in the wild years back, you're not going to be that worried. 6/?

If you are charged with incident response, one of the places you can go to see if creds have circulated for a while is hxxps[://]haveibeenpwned[.]com/. It's not perfect, for legal or corporate reasons you might not be able to use it, but it's good enough for most purposes. 7/?

If I have to check creds from an alleged breach, and this keeps showing up, my worries about the alleged breach decrease. 8/?

I've seen the list of creds alluded to here circulating on Pastebin, and so far, they all look old, two of the alleged victims don't show up at all in the list, and it includes usernames that start with "drwho." This makes me very skeptical that a breach has occurred. 9/?

Also, so far I've seen no evidence of the "everything" that is allegedly being downloaded. It's not unknown for someone to claim a breach happened and then circulate "leaked" data that is faked and/or a malware vector, too. 10/?

If I worked at one of the alleged victim locations I'd be checking the data out, but based on what I have seen so far, I wouldn't be too worried. 11/?

If and when "everything" surfaces, I'd suggest waiting until the people who have experience in this look the data over in depth. Cursory examinations can be really misleading. 12/?

This is especially true in today's world, where fakery abounds and there are a lot of people making careers of pumping the world full of disinfo. Take, for example, this photo of POTUS in a meeting. 13/?

Look over the metadata, and it the lat/long is Washington DC, and it was taken today. 14/?

Actually look at the photo, and you might notice a few indications that the metadata is inaccurate, almost as if I altered it. 15/?

The trick I pulled wouldn't fool a skilled examiner for long, if at all, but I've seen it fool people before, sometimes people who should know better. If you ever see data dumps, wait until a bunch of skilled examiners go over it and agree on it. 16/?

And even if there is genuine info, well, keep this tweet in mind. 17/? https://twitter.com/rootkovska/status/618014718339497984

Fakery abounds, and no matter how smart you are, you can be fooled. And on that note, I think this thread is done. 18/18