TVNewser AgencySpy TVSpy LostRemote FishbowlNY FishbowlDC SocialTimes AllFacebook 10,000 Words GalleyCat UnBeige MediaJobsDaily

Firm Exposes ‘Billion Passwords’ Breach, Peddles $120 Service to Potential Victims

hackersIn case you missed it, the New York Times reported yesterday that a Russian gang of 20-something hackers has amassed 1.2 billion username and password combinations, plus more than 500 million email addresses. This isn’t Heartbleed—it’s a heart attack.

The records were discovered by the Milwaukee-based firm Hold Security, which also helped uncover the Great Adobe Identity Theft of 2013. 

Here’s what’s super scary about this particular scenario:

“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites…And most of these sites are still vulnerable.”

And yes, the threat is authentic: the Times enlisted the help of a third-party security expert for confirmation.

Adding fuel to the hysterical fire is the fact that we don’t know whose email addresses are included or which sites are affected—and Holden “[WON’T] NAME the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable.”

What will he name? A price.

For as low as $120 a month, you can pay Hold Security to find out if your site has been affected by the breach.

Appropriately, this offer-you-can’t-afford-to-refuse raised a few eyebrows:

yadronmultiple

Coincidentally, the firm quickly replaced the original service description with a “coming soon” message and then said by email that the service will actually be $10/month and $120/year:

“We are charging this symbolical fee to recover our expense to verify the domain or website ownership,” he says by email. “While we do not anticipate any fraud, we need to be cognizant of its potential. The other thing to consider, the cost that our company must undertake to proactively reach out to a company to identify the right individual(s) to inform of a breach, prove to them that we are the ‘good guys’. Believe it or not, it is a hard and often thankless task.”

Forbes writer Kashmir Hill sums up the murky ethics of the offer below, but we’d love your take on it—if Alex Holden is our knight to the rescue, is his armor a shiny white, or black?

It’s certainly in the interest of any security firm to to portray the state of cybersecurity as dire to make their wares more appealing, and that’s something any reader should keep in mind when reading quotes from a security professional. But this is a pretty direct link between a panic and a pay-out for a security firm.

Yes, I expect security firms to make money for making the Internet more secure, but I am skeptical of a firm with a financial incentive in creating a panic to be the main source for a story that causes a panic.  If nothing else, it should be disclosed in the New York Times story that the firm that reported a major breach hoped to directly profit from it. We don’t just need hashed passwords salted, we need grains of salt in our reporting around security.

Looks a whole lot like a legitimate news piece wrapped in a cheap stunt, doesn’t it?

Mediabistro Course

PR: Incorporating Social Media & Multimedia

Public Relations: Incorproating Social Media and MultimdediaStarting October 22, learn how to use Twitter, Facebook, and keyword search to get your client's message heard! In this course, you'll learn how to develop online video, make social media updates, display multimedia content, and master your client's SEO so that your message will spread and reach all the right places. Register now!