itwbennett writes: Some security researchers on Wednesday said it's still unclear just how serious Hold Security's discovery of a massive database of stolen credentials really is. 'The only way we can know if this is a big deal is if we know what the information is and where it came from,' said Chester Wisniewski, a senior security advisor at Sophos. 'But I can't answer that because the people who disclosed this decided they want to make money off of this. There's no way for others to verify.' Wisniewski was referring to an offer by Hold Security to notify website operators if they were affected, but only if they sign up for its breach notification service, which starts at $120 per year.