The New York Times reported on Tuesday that a Russian hacker group, dubbed "CyberVor" by security experts, had amassed a collection of some 1.2 billion user name and password combinations and more than 500 million email addresses, including information gathered from some 420,000 websites – amongst them household names and smaller internet sites.
This discovery was made by Hold Records which just last year uncovered the theft of tens of millions of records from Adobe Systems is being described as "the largest known collection of stolen Internet credentials", and would be just the latest in a series of incidents in which large amounts of personal data have been plundered by hackers, but Business Insider (Singapore) reports that newer reports are surfacing that are skeptical of these claims.
The is largely because Hold Security has withheld significant details such as whether or not the stolen data was encrypted, which companies and websites had been affected, and crucially, which countries the information had been stolen from.
While Hold Security says they will not name the victims due to "nondisclosure agreements and a reluctance to name companies whose sites remain vulnerable", they were also caught putting up a page on its site promoting its new breach notification service - right about the same time the New York Times story went live - offering to check if your company has been a victim of the CyberVor breach for "as low as $120/month, with a 2-week money back guarantee, unless we provide any data right away."
While the page has since been amended; it now points you to pre-register for Hold Security Electronic Identity Monitoring and Protection, which is "Free for 30 days if you sign up now". It does make Hold Security’s findings seem suspicious, especially given the timing. Hacking experts and security researchers had been gathered at the Black Hat USA security conference last week, with another security conference called Def Con kicking off today, so this could well have been a ploy to generate more visibility when cyber security is already in the news.
Forbes reports that Alex Holden of Hold Security responded to their email queries about the service charges by saying that the service will actually be $10/month and $120/year. "We are charging this symbolical fee to recover our expense to verify the domain or website ownership," he says by email. "While we do not anticipate any fraud, we need to be cognizant of its potential. The other thing to consider, the cost that our company must undertake to proactively reach out to a company to identify the right individual(s) to inform of a breach, prove to them that we are the ‘good guys’. Believe it or not, it is a hard and often thankless task."
It certainly seems easy to see that an internet security firm might have a vested interest in spreading news about a massive hacker attack if that directly promotes their own services, yet the fact remains that there exists a black market for credentials where hacker groups can buy and sell stolen credentials, before spreading its own attacks. Which basically means that what Hold Security claims could be true - regardless of whether they are trying to profit from it. Thus, the only safe thing to do is to not reuse your passwords, and to get in the habit of regularly changing them.