Hackers Steal 1.2B Passwords; Security Firm Criticized

A Russian gang is believed to have stolen more than a billion online passwords. But the security firm that discovered the breach has also caused controversy over its handling of the situation, including paid-for services to deal with the breach.

Hold Security of Milwaukee discovered and publicized the breach. The company is legitimate, and its previous claims of breaches have checked out: it was responsible for detecting a massive breach at Adobe last year.

The company says it discovered that a Russian group named CyberVor (which translates as cyber-thief) has gathered together data from 420,000 websites - some which are very well known.

Financial Data Thought Unaffected

Altogether, CyberVor is believed to have stolen a total of 1.2 billion user names and passwords and 500,000 email addresses. Ironically, the stolen information also includes details of Hold Security's founder, Alex Holden. Hold Security says it is contacting affected websites regarding the breach, but has chosen not to name the sites publicly, citing nondisclosure agreements and because some sites remain vulnerable.

The breach is thought to be the biggest haul of its type, though it doesn't appear to include any financial details, such as card or account numbers. An independent security expert granted access to Hold Security's files told the New York Times that the stolen CyberVor information appeared genuine. (Source: nytimes.com)

The details of how CyberVor got hold of the data has also not been revealed, though it's suggested that the attack involved a breach of SQL databases. SQL is a database programming language used to manage data held in relational database management systems (RDBMS). Typically, databases of these types hold users' log-in credentials, among other related information.

There also a theory that the CyberVor database isn't intended to be used for carrying out crime, but is rather a way for Russian criminals, and possibly even the country's government, to intimidate the West.

Major Newspaper Questions Security Firm's Actions

Meanwhile, Hold Security has come under criticism from the Washington Post. The Post points out that although Hold Security is keeping many details of the attack under wrap, it is also offering a paid service under which it will charge $10 a month to monitor the database and those of other (future) breaches to see if a particular email address is being compromised. In other words, they're offering to keep tabs on your stolen information to see if it's likely being used against you in future attacks.

Although Hold Security is offering a 30-day free trial of their services, the Washington Post has raised questions about the company, including how it's possible to make direct financial benefit from any resulting panic as a result of the breach. (Source: washingtonpost.com)

What's Your Opinion?

Do you believe tensions between Russia and the West could be responsible for cybersecurity attacks? Should Hold Security make public the list of sites that were affected? Is it a conflict of interests for Hold Security to raise fears of security breaches and then cash in on them?