The New York Times dropped a bombshell report on Tuesday, saying that a tight-knit group of Russian hackers managed to get their hand on 1.2 billion internet passwords. It's a scarily unprecedented number, and the ensuing coverage has been fittingly sensational. But there are some reasons the be suspicious of the narrative of this story. I have written them out in handy listicle form below.
1. We don't know how old/accurate these records are.
According to the Times, this group of amassed this trove of credentials two ways - it used botnets to check websites for vulnerable databases of passwords and personal info, but it has also been "buying stolen databases of personal information on the black market" since 2011. How many of the passwords were bought as opposed to harvested by botnets? How many of those databases have already been publicly disclosed and had users prompted to change password information? We don't know, and the company that made this collection public, Hold Security, isn't saying.
2. We don't know what sites were hacked.
Not all online accounts are created equal. My Gmail password is valuable to me, as access to that account would give you access to a ton of my personal information. This is not the case with the account I have on a Day of Defeat message board. Hold Security has said that the breach affected over 420,000 web and FTP sites, "ranging from Fortune 500 companies to very small websites," but none of the usual suspects have come forward to confirm the breach, and Hold Security says it “would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable." So these guys could have access to your personal email account, or they could have the passwords to an Eritrean file sharing site, but we don't know.
3. We don't know if the passwords were encrypted.
Websites that are trying to secure your data do this cool thing called hashing, which is essentially the encryption of passwords. To even better protect your passwords, sometimes they hash and salt them. Salted hash sounds like a delicious breakfast, but taking these steps make your passwords exponentially harder to actually see, even if they have access to the databases. So are the passwords these hackers now have plaintext, or were they salted and/or hashed? Hold Security isn't saying.
4. The hackers haven't sold the data.
Why would hackers with this much info not have sold it already? There are likely two reasons. They could either be looking for the right price, or the info isn't actually that valuable.
5. Hold Security is selling a service to see if you're affected.
This is probably the biggest red flag. Hold Security is using this announcement to offer a "breach notification service," which is a $10 monthly subscription with the company to tell you if you've been affected. Hold Security told Forbes blogger Kashimir Hill by email “We are charging this symbolical fee to recover our expense to verify the domain or website ownership. While we do not anticipate any fraud, we need to be cognizant of its potential. The other thing to consider, the cost that our company must undertake to proactively reach out to a company to identify the right individual(s) to inform of a breach, prove to them that we are the ‘good guys’. Believe it or not, it is a hard and often thankless task.”
Look, it's always smart to use secure passwords and change them somewhat regularly. Not doing so online can leave you vulnerable. But vulnerability is fixable. You can use services like 1password or lastpass to keep your passwords secure and renewable. And beware men bearing $10 a month promises of security.