1.2 billion passwords stolen: Why the world isn't entirely convinced

1.2 billion passwords, 500 million user accounts have been stolen by a Russian hacker gang, said a report in New York Times on Tuesday. Obviously, it has caused much concern in the technology world and this  is being seen as the largest known collection of such stolen data. This massive data breach was discovered by Hold Security of Milwaukee, Wisconsin and according to the firm, the passwords, account logins were stolen from some 420,000 websites.   “Hackers did not just target US companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites. And most of these sites are still vulnerable,” Alex Holden, the founder of Hold Security, told NYT.   But not everyone is convinced about these revelations. For starters, Hold Security wants users to pay $120 to know if their account was compromised, which is frankly a huge amount and also seems like they are trying to make a quick buck.   As this piece on The Verge by Russell Brandon notes, “Hold Security is already capitalizing on the panic… Hold says it’s just trying to recoup expenses, but there’s something unseemly about stoking fears of cybercrime and then asking concerned citizens to pay up.”   Interestingly Hold has refused to name anyone of the services from where the accounts were stolen. The number of services which would have such large number of users is also limited, as Brandon points out, adding that if Facebook, Google Search, and Microsoft Office were targetted,  “Hold wouldn’t be shy about saying so.”   He also points out that Hold’s description of the theft doesn’t explicitly describe how the theft took place, other than saying that hackers acquired these accounts first from other hackers in the black market, then used these ids to spread spam.   And the use of this data for ‘spam’ is another revelation that has caused much suspicion. According to Brandon,

“They’re using it for Twitter spam, the dark web equivalent of boiling the bones for stock. If there were anything else they could do with these passwords, it would be more lucrative and more sustainable than spamming. The fact that the crew is reduced to jacking Twitter accounts suggests the data is more about quantity than quality.”

And he isn’t the only questioning Hold Security’s revelation. Forbes’ Joseph Steinberg notes in his piece,  

“If any of the breached passwords were to sensitive systems such as banking systems or the like, don’t you think we’d be witnessing theft and other forms of financial fraud? Sending spam, and selling passwords to be used for sending spam, is hardly the most profitable use of stolen credentials.”

  He, too, points out that it’s not clear how many of the stolen passwords are currently in use and whether these belong to important accounts or just to those many websites that demand you create and account and enter a password for access.   With regard to the SQL injection (according to Hold CyberVors (the group of hackers) got access to data from botnet networks which used victims’ systems to identify SQL vulnerabilities on the sites they visited,) both Brandon and Steinberg point out that most major systems are looking out for such vulnerabilities.   Steinberg notes rightfully, “various information-security technologies also catch attempts at launching SQL Injection attacks, log them, and notify system administrators,” adding that it does sound incredible that such an attack would take place without any firm mentioning it or even alerting users.   In addition to this, Steinberg adds that Hold Security doesn’t have the credentials to back up its huge claim. He adds that the fact that “Alex Holden has been unreachable to major media outlets for much of the time since the breach was reported,” is also cause for alarm. More importantly no one has seen this data.   Another well-known cybersecurity expert Bruce Schneier has written on his blog questioning the hype around this data breach. He too notes that the fact that the story has a lot of hype around it and the fact Hold Security is trying to make money out of this panic is disturbing.   He also makes another relevant point saying that the report should actually be seen as proof that the Internet is secure. He writes,

“We’re not seeing massive fraud or theft. We’re not seeing massive account hijacking. A gang of Russian hackers has 1.2 billion passwords – they’ve probably had most of them for a year or more – and everything is still working normally. This sort of thing is pretty much universally true. You probably have a credit card in your wallet right now whose number has been stolen. There are zero-day vulnerabilities being discovered right now that can be used to hack your computer.”

More from News & Analysis

What is the US HIRE Bill and why is India’s $250-billion IT sector worried? Is the internet dead? What's this theory that OpenAI's Sam Altman says might be true?

  So while Hold Security seems to be getting some publicity, not everyone is convinced given the way this story has played out. For users, this means that they can breathe easy for now. However if you still feel worried about your password, you can read more here on how to make a strong password.