Schneier skeptical of NYT's 'over a billion passwords stolen' hack story

HACKEDThe big New York Times scoop about the alleged theft of more than a billion usernames and passwords smells fishy to security expert Bruce Schneier.

Over a Billion Passwords Stolen? I've been doing way too many media interviews over this weird New York Times story that a Russian criminal gang has stolen over 1.2 billion passwords. As expected, the hype is pretty high over this. But from the beginning, the story didn't make sense to me. There are obvious details missing: are the passwords in plaintext or encrypted, what sites are they for, how did they end up with a single criminal gang? The Milwaukee company that pushed this story, Hold Security, isn't a company that I had ever heard of before. (I was with Howard Schmidt when I first heard this story. He lives in Wisconsin, and he had never heard of the company before either.) The New York Times writes that "a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic," but we're not given any details. This felt more like a PR story from the company than anything real.

More here.

Start the discussion at bbs.boingboing.net