The Lie Behind 1.2 Billion Stolen Password

Or: How Alex Holden Spends Most of the Day Chillaxing on TOR and Lurking Russian Hack Boards Preface: Id like to personally thank Rick Romell and Bill Glauber of the Milwaukee-Wisconsin Journal Sentinel for absolutely nailing this story out of the park with regard to localized research on Holden. That the number of credential went from 4 billion, then to 1.2 billion, and then (as per Mother Jones) to ~500 million is absolutely absurd and warranted investigation. Both of you are absolutely awesome. This will be short and sweet because Alex Holden does not need any further publicity for his actions. You have likely read the accusations that, earlier this week, Alex Holden of Hold Security announced to the NYT that he had discovered Russian hackers had stolen over 4 billion usernames and passwords. After running a duplication check, that narrowed to 1.2 billion and, while not often reported, that list was further whittled down to around 500 million individual users via unique email addresses. Lets look at the warning signs right off the bat: Announces 4 billion passwords have been taken across 420,000 websites Makes zero indication on how he learned this or how he obtained the output of 420,000 websites U/P data Unbiased sources who have met Holden describe him as a generally acceptable individual with an aggressive approach to establishing clients. Chris Roberts, founder of Denvers One World Labs, said that Holden [] has gone off and done his own thing [] he has his way of doing it — very different than mine Refuses to indicate any of the sites compromised so that users can change their passwords as there is an ongoing investigation No law enforcement agencies (local, state, or federal) have corroborated that they are investigating Explains that he knows the names and locations of these […]