Yesterday, Reuters reported that tens of millions of email addresses and account passwords were stolen in an apparent data breach -- but as is often the case, there's more to this story than meets the eye. According to Motherboard, which spoke with both Hold Security (the company that received the data in question) and security expert Troy Hunt, it's not at all clear that the email providers were hacked. It's even possible this data isn't legitimate.
For starters, Motherboard received a statement from Russian email provider Mail.ru, which accounted for 57 million accounts in the data release. The provider claims that after doing a sample check of the data, none of the email and password combinations work. This casts plenty of doubt on the legitimacy of the entire data set.
Furthermore, Alex Holden (CEO and founder of Hold Security) admitted that the data appeared to come from "a collection of different breaches." Between this and the doubt that Mail.ru has cast on the legitimacy of the data, it's entirely possible that the data in this "hack" is either quite old or didn't come from the email providers directly -- or both. Troy Hunt of "Have I Been Pwned" (a site that maintains a repository of data breeches) said to Motherboard: "You know how much effort we go to in trying to figure out if breaches are legit or not, it feels like that hasn't happened here."
As always, it's good to practice good password hygiene and change them up frequently (and seriously, two-factor authentication!), but it's also worth maintaining some perspective -- if a company has large as Microsoft, Google or Yahoo was hit with a data breach affecting tens of millions of its customers, it would likely have made that knowledge publicly available. Absent any firm confirmation from those companies -- as well as Mail.ru's statement -- it seems most users should be safe at the moment.