if someone refuses to give access to the official authorities
if someone than tries to make money out of it and forgets every public responsability (in my view he can be sued because it are not his password, it is lost or stolen property that should be handed back to the rightful owners by the public authorities)
if something sounds as if it has been set up to make a maximum impact before one of the biggest security-events in the world (blackhat) and where the agenda for this event is already mindblowing (so you had to pre-empt all that publicity)
than that needs more research
and this article http://www.youarenotpayingattention.com/2014/08/08/the-lie-behind-1-2-billion-stolen-passwords/ doesn't believe much of the story and thinks - based on a trend he has discovered among a lot of other discoveries by Hold Security - that he has just put together all the databases that you can find online that are for sale (and of which many are fake, too old or just unusable). Official indexes of already leaked data the last 2 years are not far from the billion.
and more articles are coming to that conclusion
in my view, if he has that data he needs to be officially questioned and prosecuted if he refuses to cooperate with the authorities - this will also learn other clowns to make such declaration to try to make a business for himself
meanwhile the story has been copy-pasted around the web which is not the case with the critical stories which proves that copy-paste journalism can be very dangerous