News broke today about "one of the largest data breaches in history," sparking wide media coverage filled with warnings and fear-mongering. However, it appears to just be a compilation of previously leaked credentials stolen by infostealers, exposed in data breaches, and via credential stuffing attacks.

To be clear, this is not a new data breach, or a breach at all, and the websites involved were not recently compromised to steal these credentials.

Instead, these stolen credentials were likely circulating for some time, if not for years. It was then collected by a cybersecurity firm, researchers, or threat actors and repackaged into a database that was exposed on the Internet.

Cybernews, which discovered the briefly exposed datasets of compiled credentials, stated it was stored in a format commonly associated with infostealer malware, though they did not share samples

An infostealer is malware that attempts to steal credentials, cryptocurrency wallets, and other data from an infected device. Over the years, infostealers have become a massive problem, leading to breaches worldwide.

...

The infostealer problem has gotten so bad and pervasive that compromised credentials have become one of the most common ways for threat actors to breach networks.