Don't panic: That Russian hack bombshell isn't what you think

News of 1.2 billion stolen Web credentials raises key questions about the data -- and the motives of the security researcher

FUD over the current state of cyber insecurity reached a fever pitch this week as thousands gathered in Las Vegas for Defcon and Black Hat. While the hacking conferences served up their usual paranoia-inducing mix -- demos of Dropcam hacks and warnings that mobile apps are spying on us -- first prize for panic mongering this week goes to the New York Times story on Russian hackers who allegedly amassed 1.2 billion stolen Web credentials and half a billion email addresses.

Hold Security, which uncovered the database of stolen info, called it "arguably the largest data breach known to date," but failed to provide key details about the stolen data -- which should have raised questions about the seriousness of the discovery. Regardless, the Times report quickly went viral, as news outlets ranging from CNN, USA Today, and MSN to Ars Technica and Cnet hammered home the message: Your password may have been stolen. Many of the reports compared the latest "breach" to the theft of 110 million users' data in the hack of retailer Target earlier this year.

So kudos to Forbes' Kashmir Hill for being the first to stick a great big pin in the hype, calling it "the freakiest security story since Heartbleed." Hill pointed out that the story provided few details beyond hyperbolic numbers, and "no specifics about the state of those [stolen] passwords: whether they're in clear-text -- the worst case scenario -- or in encrypted form." It's worth noting that even small websites usually don't store passwords in plain text anymore. The system used to protect passwords, called "hashing," offers varying degrees of protection, some which can be broken in minutes and others that take longer and are more costly to break.

Russell Brandom at The Verge continued the pushback, noting, "If the idea of hacking 1.2 billion usernames sounds incredible, it should ... this data [actually] comes from hundreds of thousands of compromises over the course of months. Comparing it to breaches like Adobe or Target simply doesn't make sense."

Both writers commented on the unseemliness of Hold providing no details about which sites were compromised, while offering a $120-per-year subscription to find out if you were affected. "It's certainly in the interest of any security firm to portray the state of cybersecurity as dire to make their wares more appealing, and that's something any reader should keep in mind when reading quotes from a security professional," Hill wrote. "But this is a pretty direct link between a panic and a pay-out for a security firm."

Martyn Williams of the IDG News Service observed that in order to assess the seriousness of the discovery, researchers will need to know the age of the credentials collected by the Russian hackers. This information is important because the older they are, the more likely they are to be disused and less valuable, said Gary Davis, chief consumer security evangelist at McAfee. Many of the Web credentials could be associated with fake email addresses or closed accounts, or they could be decades-old.

"If you take Sony, LinkedIn, eBay, and Adobe," said Chester Wisniewski, a senior security advisor at Sophos, naming four of the biggest recent password breaches, "that's already 500 million accounts. The only way we can know if this is a big deal is if we know what the information is and where it came from," Wisniewski added. "But I can't answer that because the people who disclosed this decided they want to make money off of this. There's no way for others to verify."

InfoWorld's Roger Grimes concurred, saying, "I'm not only bothered that [the discovery] is from one source, but that the password database review was only done by one company; 1.2 billion is a lot of credentials and seems very high to me."

Another red flag: The hackers aren't trying to sell the data or use it to steal actual money. "They're using it for Twitter spam, the dark Web equivalent of boiling the bones for stock," says The Verge's Brandom. "The fact that the crew is reduced to jacking Twitter accounts suggests the data is more about quantity than quality.... No one was going to pay $120 a year just to find out if their Twitter might get hacked."

We may never learn the details of how these passwords were stolen and who's actually at risk -- and Hold Security has been in no rush to offer any fresh information. But dialing back on the FUD and asking questions of the company is a good start.

This article, "Don't panic: That Russian hack bombshell isn't what you think," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow on Twitter.

Copyright © 2014 IDG Communications, Inc.

How to choose a low-code development platform