In case you missed it, the New York Times reported yesterday that a Russian gang of 20-something hackers has amassed 1.2 billion username and password combinations, plus more than 500 million email addresses. This isn’t Heartbleed—it’s a heart attack.
The records were discovered by the Milwaukee-based firm Hold Security, which also helped uncover the Great Adobe Identity Theft of 2013.
Here’s what’s super scary about this particular scenario:
“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites…And most of these sites are still vulnerable.”
And yes, the threat is authentic: the Times enlisted the help of a third-party security expert for confirmation.
Adding fuel to the hysterical fire is the fact that we don’t know whose email addresses are included or which sites are affected—and Holden “[WON’T] NAME the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable.”
What will he name? A price.
For as low as $120 a month, you can pay Hold Security to find out if your site has been affected by the breach.
Appropriately, this offer-you-can’t-afford-to-refuse raised a few eyebrows:
Coincidentally, the firm quickly replaced the original service description with a “coming soon” message and then said by email that the service will actually be $10/month and $120/year:
“We are charging this symbolical fee to recover our expense to verify the domain or website ownership,” he says by email. “While we do not anticipate any fraud, we need to be cognizant of its potential. The other thing to consider, the cost that our company must undertake to proactively reach out to a company to identify the right individual(s) to inform of a breach, prove to them that we are the ‘good guys’. Believe it or not, it is a hard and often thankless task.”
It’s certainly in the interest of any security firm to to portray the state of cybersecurity as dire to make their wares more appealing, and that’s something any reader should keep in mind when reading quotes from a security professional. But this is a pretty direct link between a panic and a pay-out for a security firm.
Yes, I expect security firms to make money for making the Internet more secure, but I am skeptical of a firm with a financial incentive in creating a panic to be the main source for a story that causes a panic. If nothing else, it should be disclosed in the New York Times story that the firm that reported a major breach hoped to directly profit from it. We don’t just need hashed passwords salted, we need grains of salt in our reporting around security.
Looks a whole lot like a legitimate news piece wrapped in a cheap stunt, doesn’t it?