In the past few years, the security industry has seen several reports on massive password leaks. The number of exposed credentials in these leaks is staggering: 10 billion, 26 billion, and sometimes even more. The suggestion is clear: a massive new breach has occurred and your digital life is in immediate danger. But if you read past the headline, you’ll often find something far less dramatic.

These reports are rarely about a single, catastrophic breach. Instead, they’re compilations: massive databases of credentials scraped from old leaks, public forums, and dark web marketplaces. They’re not always new, but they are newly packaged. And while they’re still dangerous, the panic they generate often outpaces the actual threat.

Take the infamous “RockYou2021” leak. While it was widely reported as a breach of 8.4 billion passwords, the reality is that it was a text file of previously leaked passwords, many of them duplicates or outdated. Similarly, recent reports of 26 billion credentials “leaked” were based on aggregations of past breaches, not a fresh compromise of billions of accounts like the headlines made it seem.

It may feel like these sorts of large-scale breaches are happening more and more these days, and while that’s partially true, there is more at play here. First, the industry has gotten better detecting these sorts of attacks, and entire companies now exist that help manage breached credentials. This makes identity-related breaches more visible and big business. Second, cybersecurity is now a household concept and part of everyone’s work and personal life. This means that every big event transpiring in the cyber landscape is newsworthy, resulting in wide reporting by the press.

That’s not to say these compilations don’t matter, because they do. Here are some examples of how the bad guys may use this info using the concepts of “what works,” “where else does it work,” and “what else can I figure out?”

Credential Stuffing: Credential stuffing is when a hacker takes a large list of breached credentials and uses their infrastructure to “try the door” by plugging in various username/password pairs. This often happens from many different systems under the control of the attacker, so it looks like standard login traffic to IT and security personnel. This is the attacker asking, “what works?”

Credential Pivoting: Hackers are resourceful, and a common tactic is to take a single breached username/password pair, then try it across many of the most popular internet sites, including shopping platforms, technology websites, social media, and more. Many people reuse passwords, and the bad guys take this knowledge and use it to their advantage.  This is the attacker asking, “where else does this work?”

Brute Forcing: Hackers may take an entire password list and use it with a single username to see if the user is using a commonly used or basic password (think of examples like “password” or “letmein”).  This is the attacker asking, “what else can I figure out?”

Now, you may be thinking, “why would a hacker release a breach list like this?” In many cases, it’s simply for “cred” and getting their name out there as a “player” among other hacker groups. For others, they’re doing it to make money, as many corporations hire firms to find and purchase breached credentials that are for sale in the underground so they can be managed as part of a cybersecurity program. Thirdly, they often do it for simplicity, as a single big password list may be easier to manage than multiple smaller ones.

But here’s the truth: If your username and password are part of one of these mega-collections, it’s most likely old news and your credentials were breached previously as part of a much smaller event.

While the solution shouldn’t be to panic, it should be hygiene. Use a password manager. Turn on multi-factor authentication. Check if your credentials have been exposed using tools like “Have I Been Pwned,” a website that aggregates data from various breaches and makes it searchable. And most importantly, don’t reuse passwords ever.

The headlines will keep coming, and so will the panic. But, by remembering the deeper complexities of this reporting and maintaining proper password hygiene, you’ll be better prepared for anything the news cycle has to offer.