New York Times Overhypes 1.2 Billion Password Theft
Yes, it's true. Nicole Perlroth and David Gelles uncovered the fact that a Russian cybercriminal ring had acquired a staggering 1.2 billion usernames and passwords from various websites. Before you hurl your electronics into a bonfire and retreat into the mountains forever, though, you may want to think it over first: The potential harm has been greatly exaggerated.
First off, as the New York Times article states, it is indeed very likely that a Russian gang has come into possession of 1.2 billion username and password combinations and more than 500 million email addresses. Just as the security researchers say, it's also probable that the websites compromised represent both tiny and huge companies. It's even possible that these hackers have a hold of your information somewhere.
The important counterpoint, which the article fails to bring up, is this: So what? The potential for harm probably won't be any worse or more noticeable than all the rest of the cybercrime that plagues the world on a daily basis. And it probably won't happen to you.
Consider the most important issue first: username and password security. Most websites — especially major websites that store compromising personal or financial information — keep their databases hashed. Hashing is a process that makes stored information unreadable without knowing the key that first modified the data. It's possible to crack into a hashed database, but it's not easy, and it's not worth the effort for most cybercriminals.
Keep in mind, too, that Hold Security, the Milwaukee-based security firm that discussed the issue with the New York Times, was not keen on disclosing exactly how many usernames and passwords came from major sites as opposed to minor ones. The majority of the compromised usernames and passwords could easily belong to websites that store nothing more than said usernames and passwords. It's possible that larger sites gave up their secrets in greater numbers, but that would only be conjecture.
Perhaps the most damning thing about the original report is that it stands to make someone a lot of money, and that someone is Hold Security. "You Have Been Hacked!" warns the Hold Security website, even though, statistically, your chances of being hacked would be one in seven — if each of the 1.2 billion usernames and passwords represented a single person, which they do not.
Fear not, though, as Hold Security promises to keep all of your data safe and sound, as long as you're willing to cough up $120 per month for its service. What better way to drum up a little business than to scare potential customers in a major publication, then offer an expensive panacea?
The way to keep your data safe in light of the Russian crime ring is the same way you've (hopefully) been keeping your data safe up to this point: use different passwords for all of your important accounts, change them frequently and only share your personal and financial information online when you really need to (sharing your credit card information to buy something is good; sharing it for a simple account verification may not be).
If the unlikely does happen and you find yourself as a potential identity theft victim, contact your credit card company, the website where the breach occurred and local law enforcement. Until then, take smart precautions and you should be fine.