Did Russians REALLY Steal 1.2 Billion Passwords? FORBES Expert Says, ‘So What?’
According to a security firm, Russian hackers have reportedly stolen 1.2 billion passwords, hacked from some 420,000 websites and more than 500 million email addresses. But is it really THAT bad?
Hold Security, a firm in Milwaukee, Wisconsin, reportedly has a history of discovering significant security and data breaches, leaks and thefts. They say the Russian hackers targeted a variety of sites - anything they could get their hands on, from Fortune 500 companies to small firms.
Even the Better Business Bureau of Eastern Washington issued a warning to consumers about revising or changing their passwords for sensitive information. From a brief they issued Friday:
"... According to the Hold Security, its Deep Web Monitoring program discovered what could be the widest-ranging global security breach in history, affecting an estimated 420,000 websites, ranging from Fortune 500 companies to small internet sites."
But according to Joseph Steinberg of FORBES Magazine, it might be overblown. While nobody should take cyber security lightly, Steinberg gives some reasons why it might not be that bad.
1) The extent of the damage done so far appears to be mostly stolen passwords used to send spam on social networks.
2) It is not clear how many of the stolen passwords are current. Unless a person re-uses an old password, these would be useless.
3) Many passwords are of little use to consumers. Hundreds of thousands of websites require people to create a password just to browse for free through potential items to purchase. Such passwords don't compromise any identity or confidential information.
4) Most financial and other sensitive password protected systems (such as your bank) are regularly checked for vulnerability to what is called SQL Injection, a primitive method used to try to steal such data. Because SQL Injection was used in this breach, it's likely the hackers didn't get deep into systems to gather truly sensitive or damaging information.
5) Many cyber-security experts are questioning the validity of Hold Security's claims. Steinberg says the company didn't immediately go public with the news of the alleged hack, nor did they make the data public so it could be analyzed for solutions. Steinberg himself had never heard of them prior to this report.
So what should you do? According to Stenberg, while the breach may indeed be what Hold says it is, don't go off the deep end:
"So, what to do now? Don’t panic, and go on with your life. Until more information comes out I would not suggest resetting passwords – they may be on systems that can be re-breached – or sending anyone encrypted copies of your passwords."