Russian password breach revelation seems shady

Hold Security revealed this week that a Russian cybercrime group has amassed a database of over a billion compromised passwords. Hold gets credit for discovering and announcing this massive breach, but the way it went about it seems a bit shady.

I shared some thoughts from myself, and others about the suspicious nature of the Hold Security disclosure:

There were plenty of hyperbolic, sky-is-falling headlines yesterday about news that a Russian criminal organization has amassed over a billion compromised passwords. The information was vague and scarce on details, though, and accompanied by a pitch to sell a service from a virtually unknown security vendor. The whole thing feels like a marketing stunt, or a fake antivirus scam perpetrated on a global level.

Let me back up one step, and say that I don’t actually believe it’s a scam. It just has many of the same attributes of a fake AV scam. Hold Security isn’t a household name, but it was involved in exposing the Adobe data breach last year, and there is no reason to assume the breach they’re reporting this time isn’t true.

That said, [inlinetweet prefix=”” tweeter=”” suffix=””]the combination of over-the-top hyperbole and a lack of details seems sketchy[/inlinetweet]. The Hold Security website goes so far as to label this “the largest security breach.” If true, I won’t argue that 1.2 billion passwords is some sort of record, but if we want to split hairs I don’t agree that it’s the largest breach because the compromised credentials were collected from hundreds of thousands of sites, which is not the same as a single company like Target getting hacked.

I’m not suggesting that this news isn’t cause for concern, though. It is obviously a problem if cybercriminals have a database of 1.2 billion passwords, and 500 million email addresses, from 420,000 vulnerable websites. The problem is that Hold Security was intentionally nebulous about how the information was compromised, or which sites were affected—citing nondisclosure agreements, and concerns that many of the affected sites are still vulnerable.

Read the full article at CSOOnline.com Disclosure of Russian password hack seems like fake antivirus scam.

• About
• Latest Posts

Tony Bradley

Editor-in-Chief at TechSpective

I have a passion for technology and gadgets--with a focus on Microsoft and security--and a desire to help others understand how technology can affect or improve their lives. I also love spending time with my wife, 7 kids, 4 dogs, 7 cats, a pot-bellied pig, and sulcata tortoise, and I like to think I enjoy reading and golf even though I never find time for either. You can contact me directly at tony@xpective.net. For more from me, you can follow me on Twitter, Facebook, Instagram and LinkedIn.

Latest posts by Tony Bradley (see all)

• Streamline Security with AI and Dynamic Detection Analysis - April 22, 2024
• Brewing Trouble: How Nespresso’s Open Redirect Made Way for a Phishing Frenzy - April 22, 2024
• Ransomware-Proof Your Data Backups with Immutability - April 10, 2024