The New York Times struck fear into Internet users everywhere yesterday with its report that Russian hackers had gotten hold of a staggering 1.2 billion username and password combinations. But is the threat exaggerated? At Forbes, Kashmir Hill finds it a little fishy that Hold Security, the Wisconsin security firm that uncovered the breach, began offering a service for $120 a year that allows people to see whether they've been affected. It went public about the same time the Times story got posted. "I am skeptical of a firm with a financial incentive in creating a panic to be the main source for a story that causes a panic," she writes. "If nothing else, it should be disclosed in the New York Times story that the firm that reported a major breach hoped to directly profit from it."
At the Verge, meanwhile, Russell Brandom sees a few holes in the account of the alleged hack itself. For one thing, it's not clear whether the so-called CyberVor hackers stole the data themselves or bought it from others. If it's the latter, "many of the passwords could have been old data from someone else's hack," and thus less of a threat. "The biggest red flag of all, though, is that CyberVor isn't trying to sell the data or use it to steal actual money." Instead, they're apparently using it to create low-grade Twitter spam, suggesting that this "data is more about quantity than quality." Bottom line? It's still sound advice to change your passwords regularly, "but full-blown panic is probably overkill on this one," writes Kevin Roose at the Daily Intelligencer. (Read more Internet security stories.)