On August 5, the New York Times ran a story calculated to cause panic among Internet users. According to the story, a Russian gang had obtained up to 1.2 billion (yes, billion) login credentials.

The source of the story was Alex Holden, of Hold Security. Unfortunately, Holden didn’t provide much in the way of details, which has given rise to a lot of speculation about the facts, and of Holden’s motives.

Hold Security followed up the story by announcing that they planned to offer a fee-based service that would allow anyone to check whether an email address or user id was in the database of stolen credentials. Many took this as a sign that Hold Security was involved in some kind of scam, but well-known security blogger Brian Krebs came to Holden’s defense in a recent post.

Bruce Schneier, another famous security analyst, isn’t sure. He says – and we agree – that there’s something squirrely about this story.

In any case, it’s simply too soon to know for sure what’s going on. Until someone starts using the purloined information for something other than spam, all we can do is wait. Hopefully Hold Security will either create a free tool for checking credentials, or they’ll hand the database over to someone else who will.

In the meantime, our advice remains the same: use complex, unique passwords, especially for critical accounts like online banking.