This story is proof to me that the New York Times takes bribes. Let me give you an alternate scenario:
American "White Hat" hacker wants to see how gullible people are. So he invents a story that he discovered 1.2 billion passwords hacked by a mysterious gang in Russia he calls CyberVor. He reports it through the New York Times, paying them to plant a false story. They hire "a security expert" that they do not name to verify at least that he's got a database of 1.2 billion fake e-mail addresses and fake passwords. He then offers on his website a "service" free for the first 30 days, $10/month thereafter, to let you enter your e-mail address and password to check against the fake database- at which point your e-mail address and password go into the real database, which he then sells at the upcoming "Black Hat" conference as proof that users are stupid.