News broke this week that an alleged data breach may have exposed the email accounts and passwords of millions of Yahoo users, resulting in the sale of their information online. What makes this an “alleged” data breach? The fact that Yahoo has yet to confirm it, and the fact that anyone can claim to have hacked and stolen personal information.

Alleged data breaches are making big headlines lately, since there seems to be a treasure trove of old data floating around the dark web, much of it useless. It takes no effort or skill for someone to pose as a hacker, grab up an entire database of old email addresses and passwords, then try to pass it off as current information.

For example, following the LinkedIn breach, the same hacker claimed to have accessed over 427 million MySpace accounts, stealing the email addresses, user names, passwords, and more. The only problem is MySpace topped out at around 300million+ accounts. Unless over 100 million people had a second MySpace account for some reason, a significant number of those accounts were believed to have been bogus. Further investigating proved that many of the email addresses associated with the MySpace accounts weren’t real, and that over 200 million of them were limited to either Yahoo, Gmail, or Hotmail addresses. That, along with the incredibly random passwords, led investigators to believe that someone had created all of these accounts in order to extort money from MySpace, claiming they’d been stolen in a data breach.

Now, the same hacker has taken credit for stealing millions of Yahoo email account logins. Once again, however, outside teams tried to connect with over one hundred of those accounts, but most of them came back as undeliverable or old email accounts that were no longer active. This has led some experts to speculate that the hacker—who goes by the name Peace—is simply grabbing old databases of leaked information and trying to sell it online as newly hacked data.

Unfortunately, just because the information was old or was stolen some time ago, that doesn’t necessarily mean it can’t still come back to haunt you. One thing the alleged MySpace and LinkedIn breaches taught us was that reusing your password can have serious consequences; even if you haven’t checked in with MySpace in a while—or, like many people, you forgot you even have an account—there’s a good chance that your email address on that account coupled with the password you used back then could still be in effect on a different account that you use today. If you created a Facebook account shortly after opening your MySpace account, for example, you might have used the same email/password combination, and therefore given access to your Facebook account to a scammer.

Besides being yet another example of why you’ve got to have strong, unique passwords on all of your accounts, this is a good reminder of why you need to change your passwords from time to time. Login information that was valid two years ago shouldn’t still be usable today. Also, whether it’s a real data breach or not, anytime news breaks of a potential hacking event, let that be another reminder to change your passwords in order to protect yourself.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.