"If you take Sony, LinkedIn, eBay, and Adobe," said Chester Wisniewski, a senior security advisor at Sophos, naming four of the biggest recent password breaches, "that's already 500 million accounts. The only way we can know if this is a big deal is if we know what the information is and where it came from," Wisniewski added. "But I can't answer that because the people who disclosed this decided they want to make money off of this. There's no way for others to verify."
InfoWorld's Roger Grimes concurred, saying, "I'm not only bothered that it's from one source, but that the password database review was only done by one company; 1.2 billion is a lot of credentials and seems very high to me."
Another red flag: The hackers aren't trying to sell the data or use it to steal actual money. "They're using it for Twitter spam, the dark Web equivalent of boiling the bones for stock," says The Verge's Brandom. "The fact that the crew is reduced to jacking Twitter accounts suggests the data is more about quantity than quality.... No one was going to pay $120 a year just to find out if their Twitter might get hacked."
We may never learn the details of how these passwords were stolen and who's actually at risk -- and Hold Security has been in no rush to offer any fresh information. But dialing back on the FUD and asking questions of the company is a good start.