GitHub DDoS
GitHub says it is investigating what appears to be a DDoS attack against its webiste. Reuters/Kacper Pempel

News that a gang of Russian hackers stole 1.2 billion online passwords immediately sparked widespread panic about identity theft, questions about Internet security flaws and, for at least one cybersecurity company, a chance to cash in.

Any Internet user who read through this week’s New York Times story detailing the hack, which also compromised about 500 million email address and 420,000 websites, would be understandably terrified that their closely guarded personal information is now under the control of a shadowy criminal syndicate. It’s especially alarming when considering that Russian thieves are no strangers to cybercrime, with hackers previously deploying malicious software on the NASDAQ and 110 million Target (NYSE: TGT) customers.

Hold Security, a Milwaukee-based cybersecurity firm, first tipped the Times off to the vast hack, but a growing chorus of Internet experts now doubt that the breach is as dangerous as the “1.2 billion passwords stolen” notion implies. No specific information was provided about the passwords (whether they’re encrypted, whether they belong to outdated websites like AOL, etc.), and Kashmir Hill of Forbes quickly revealed that Hold Security, led by founder Alex Holden, is charging customers “as low as $120” to find out if they were one of the 1.2 billion people compromised.

“This story is getting squirrelier and squirrelier. Yes, security companies love to hype the threat to sell their products and services. But this goes further: single-handedly trying to create a panic, and then profiting off that panic,” Bruce Schneier, a respected security blogger and Electronic Frontier Foundation board member, wrote on his blog.

“We’re not seeing massive fraud or theft,” he went on. “We’re not seeing massive account hijacking. A gang of Russian hackers has 1.2 billion passwords – they’ve probably had most of them for a year or more – and everything is still working normally.”

It’s also been suggested that CyberVor, the Russian collective behind the hack, didn’t steal the information itself but rather purchased older data stolen in previous hacks.

Brian Krebs, a Washington Post reporter-turned-cybersecurity blogger who broke news of the Adobe breach that exposed tens of millions of customer records, didn’t deny that the business may have exaggerated the infiltration but also vouched for Holden, saying that his research is “definitely for real,” and that most thefts of this size are used for spamming.

“Junk email is primarily sent in bulk using large botnets – collections of hacked PCs,” Krebs wrote. “A core component of the malware that powers these crime machines is the theft of passwords that users store on their computers and the interception of credentials submitted by victims in the process of browsing the Web. It is quite common for major spammers to rely on lists of billions of email addresses for distributing their malware and whatever junk products they are getting paid to promote.”

Any Web users who have used the same password for multiple websites are advised to change them.