Yesterday, the New York Times published a front-page story that, if you're anything like me, probably made you want to crawl under your desk. The story, about a Russian gang that hacked its way into the world's largest collection of user data — including, amazingly, 1.2 billion username and password combinations and about 500 million email addresses — was objectively terrifying. And many readers no doubt rushed to change their passwords.
But the gravity of the hack may have been overstated.
Kashmir Hill points out at Forbes that the firm that brought the hack to the Times' attention, Hold Security, is also hoping to profit from it by selling a $120-a-year service to check whether you've been affected by the breach. "This is a pretty direct link between a panic and a pay-out for a security firm," Hill writes. And while it's not necessarily disqualifying to be both stoking fears of a major security breach and hoping to profit from said breach, it casts the firm's motives into question. If the firm hopes its Times story will help it attract new customers, its incentive is to make the breach appear as deep and wide-ranging as possible, regardless of what's actually at stake.
The Verge's Russell Brandom adds the fact that CyberVor, the Russian group behind the hack, might not have stolen the information themselves:
Both Perlroth's article and Hold Security's description stop short of saying the group actually stole all 1.2 billion passwords. They just "eventually ended up" with them. We already know the gang started out by buying data from earlier hacks, but it's remarkably unclear where the bought data ends and the stolen data begins. Many of the passwords could have been old data from someone else's hack.
Brandom also makes the point that CyberVor is mostly using the pilfered data to create Twitter spam, not defraud credit cards or steal corporate secrets. "The fact that the crew is reduced to jacking Twitter accounts suggests the data is more about quantity than quality," he writes.
So while the Russian hack might be serious, it's probably not as big a deal as, say, the Heartbleed vulnerability. As always, you should change your passwords regularly as a precaution, but full-blown panic is probably overkill on this one.