As expected, the hype is pretty high over this. But from the beginning, the story didn’t make sense to me. There are obvious details missing: are the passwords in plaintext or encrypted, what sites are they for, how did they end up with a single criminal gang? The Milwaukee company that pushed this story, Hold Security, isn’t a company that I had ever heard of before. I was with Howard Schmidt when I first heard this story. He lives in Wisconsin, and he had never heard of the company before either. The New York Times writes that “a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic,” but we’re not given any details. This felt more like a PR story from the company than anything real.
From: Krebs on Security in an article entitled Q&A on the Reported Theft of 1.2B Email Accounts
These actors — mostly spammers and malware purveyors (usually both) — focus on acquiring as many email addresses and account credentials as they can. Their favorite methods of gathering this information include SQL injection (exploiting weaknesses in Web sites that can be used to force the site to cough up user data) and abusing stolen credentials to steal even more credentials from victim organizations.
Overall Krebs trusts some researcher who claims to have seen this data first hand. According to Krebs:
I’ve known Hold Security’s Founder Alex Holden for nearly seven years.
Alex isn’t keen on disclosing his methods, but I have seen his research and data firsthand and can say it’s definitely for real.