Hold Security revealed this week that a Russian cybercrime group has amassed a database of over a billion compromised passwords. Hold gets credit for discovering and announcing this massive breach, but the way it went about it seems a bit shady.
I shared some thoughts from myself, and others about the suspicious nature of the Hold Security disclosure:
There were plenty of hyperbolic, sky-is-falling headlines yesterday about news that a Russian criminal organization has amassed over a billion compromised passwords. The information was vague and scarce on details, though, and accompanied by a pitch to sell a service from a virtually unknown security vendor. The whole thing feels like a marketing stunt, or a fake antivirus scam perpetrated on a global level.Let me back up one step, and say that I don’t actually believe it’s a scam. It just has many of the same attributes of a fake AV scam. Hold Security isn’t a household name, but it was involved in exposing the Adobe data breach last year, and there is no reason to assume the breach they’re reporting this time isn’t true.That said, [inlinetweet prefix=”” tweeter=”” suffix=””]the combination of over-the-top hyperbole and a lack of details seems sketchy[/inlinetweet]. The Hold Security website goes so far as to label this “the largest security breach.” If true, I won’t argue that 1.2 billion passwords is some sort of record, but if we want to split hairs I don’t agree that it’s the largest breach because the compromised credentials were collected from hundreds of thousands of sites, which is not the same as a single company like Target getting hacked.
I’m not suggesting that this news isn’t cause for concern, though. It is obviously a problem if cybercriminals have a database of 1.2 billion passwords, and 500 million email addresses, from 420,000 vulnerable websites. The problem is that Hold Security was intentionally nebulous about how the information was compromised, or which sites were affected—citing nondisclosure agreements, and concerns that many of the affected sites are still vulnerable.
Read the full article at CSOOnline.com Disclosure of Russian password hack seems like fake antivirus scam.