I’ve been doing way too many media interviews over this weird New York Times story that a Russian criminal gang has stolen over 1.2 billion passwords.
As expected, the hype is pretty high over this. But from the beginning, the story didn’t make sense to me. There are obvious details missing: are the passwords in plaintext or encrypted, what sites are they for, how did they end up with a single criminal gang? The Milwaukee company that pushed this story, Hold Security, isn’t a company that I had ever heard of before. (I was with Howard Schmidt when I first heard this story. He lives in Wisconsin, and he had never heard of the company before, either.)
The New York Times writes that “a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic,” but we’re not given any details. This felt more like a PR story from the company than anything real.
Yesterday, Forbes wrote that Hold Security is charging people $120 to tell them if they’re in the stolen-password database:
“In addition to continuous monitoring, we will also check to see if your company has been a victim of the latest CyberVor breach,” says the site’s description of the service using its pet name for the most recent breach. “The service starts from as low as 120$/month and comes with a 2-week money back guarantee, unless we provide any data right away.”
Shortly after Wall Street Journal reporter Danny Yadron linked to the page on Twitter and asked questions about it, the firm replaced the description of the service with a “coming soon” message.
Holden says by email that the service will actually be $10/month and $120/year. “We are charging this symbolical fee to recover our expense to verify the domain or website ownership,” he says by email. “While we do not anticipate any fraud, we need to be cognizant of its potential. The other thing to consider, the cost that our company must undertake to proactively reach out to a company to identify the right individual(s) to inform of a breach, prove to them that we are the ‘good guys’. Believe it or not, it is a hard and often thankless task.”
This story is getting squirrelier and squirrelier. Yes, security companies love to hype the threat to sell their products and services. But this goes further: single-handedly trying to create a panic, and then profiting off that panic.
I don’t know how much of this story is true, but what I was saying to reporters over the past two days is that it’s evidence of how secure the Internet actually is. We’re not seeing massive fraud or theft.
We’re not seeing massive account hijacking. A gang of Russian hackers has 1.2 billion passwords — they’ve probably had most of them for a year or more — and everything is still working normally. This sort of thing is pretty much universally true. You probably have a credit card in your wallet right now whose number has been stolen. There are zero-day vulnerabilities being discovered right now that can be used to hack your computer. Security is terrible everywhere, and it it’s all okay. This is a weird paradox that we’re used to by now.
Oh, and if you want to change your passwords, here’s my advice.
EDITED TO ADD (8/7): Brian Krebs vouches for Hold Security. On the other hand, it had no web presence until this story hit. Despite Krebs, I’m skeptical.
EDITED TO ADD (8/7): Here’s an article about Hold Security from February with suspiciously similar numbers.
EDITED TO ADD (8/9): Another skeptical take.