FUD over the current state of cyber insecurity reached a fever pitch this week as thousands gathered in Las Vegas for Defcon and Black Hat. While the hacking conferences served up their usual paranoia-inducing mix -- demos ofDropcam hacks and warnings that mobile apps are spying on us -- first prize for panic mongering this week goes to the New York Times story on Russian hackers who allegedly amassed 1.2 billion stolen Web credentials and half a billion email addresses.
Hold Security, which uncovered the database of stolen info, called it "arguably the largest data breach known to date," but failed to provide key details about the stolen data -- which should have raised questions about the seriousness of the discovery. Regardless, the Times report quickly went viral, as news outlets ranging from CNN, USA Today, and MSN to Ars Technica and Cnethammered home the message: Your password may have been stolen. Many of the reports compared the latest "breach" to the theft of 110 million users' data in the hack of retailer Targetearlier this year.
So kudos to Forbes' Kashmir Hill for being the first to stick a great big pin in the hype, calling it "the freakiest security story since Heartbleed." Hill pointed out that the story provided few details beyond hyperbolic numbers, and "no specifics about the state of those [stolen] passwords: whether they're in clear-text -- the worst case scenario -- or in encrypted form." It's worth noting that even small websites usually don't store passwords in plain text anymore. The system used to protect passwords, called "hashing," offers varying degrees of protection, some which can be broken in minutes and others that take longer and are more costly to break.
Russell Brandom at The Verge continued the pushback, noting, "If the idea of hacking 1.2 billion usernames sounds incredible, it should ... this data [actually] comes from hundreds of thousands of compromises over the course of months. Comparing it to breaches like Adobe or Target simply doesn't make sense."
Both writers commented on the unseemliness of Hold providing no details about which sites were compromised, while offering a $120-per-year subscription to find out if you were affected. "It's certainly in the interest of any security firm to portray the state of cybersecurity as dire to make their wares more appealing, and that's something any reader should keep in mind when reading quotes from a security professional," Hill wrote. "But this is a pretty direct link between a panic and a pay-out for a security firm."
Martyn Williams of the IDG News Service observed that in order to assess the seriousness of the discovery, researchers will need to know the age of the credentials collected by the Russian hackers. This information is important because the older they are, the more likely they are to be disused and less valuable, said Gary Davis, chief consumer security evangelist at McAfee. Many of the Web credentials could be associated with fake email addresses or closed accounts, or they could be decades-old.