Yesterday, The New York Times reported that a Russian cyber gang managed to obtain over 1 billion unique passwords from various sites across the web. The security research firm Hold Security discovered the hack and NYT verified the authenticity of the stolen credentials using an independent party.
Still, details about the hack are few and far between. How many of these compromised passwords are from previous hacks from high profile attacks within the last year? How many usernames and passwords from Target, eBay and Goodwill were sold on the black market?
Hold Security also claims that victims of the hack range from “Fortune 500 companies” as well as smaller websites. No companies have stepped forward to acknowledge the hack since Hold Security broke the news yesterday.
But even more puzzling is Hold Security’s reaction to the attack. The company is offering “full electronic identity monitoring” for individuals. The service will be free for 60 days and will cost $120 per month afterward. Customers will need to complete a registration process, which includes handing over your email and “encrypted versions of your passwords to compare it to the ones in our database,” which is written in Hold Security’s terms of service. You can’t even check to see if your usernames and passwords were part of the attack unless you sign up for this service.
This is a huge conflict of interest for Hold Security. It is the one profiting from your fear. Most security research firms offer services for free to people who have been hacked. Traditionally, companies who have been hacked provide credit monitoring services free of charge. Sony provided a subscription to AllClear ID after its 2011 hack. Target also provided free credit monitoring to all its affected customers.
I’m not the only one skeptical of Hold Security’s approach. Here’s what Joe Siegrist, CEO of LastPass, had to say about it:
“I’m very suspicious of Hold Securities’ [sic] approach. They are offering ‘full electronic identity monitoring service’ to individuals for the price of $120. Most security companies who find something like this hack offer to help people for free. Hold Securities is also asking for your email before they will send their terms of service, which is not something I am willing to do, and I would not recommend anyone else do either.”
Alex Holden, founder and chief information security office of Hold Security, explained why the company is charging for its identity monitoring service. Speaking to The Wall Street Journal, Holden said his company is charging a fee to recoup the costs of verifying website ownership. “Believe it or not, it is a hard and often thankless task,” said Holden.
The Verge dug into the story as well, noting that the method used in obtaining the passwords is commonly used and protected against. “SQL injection is a powerful technique, but it’s also a common one…It’s always possible that a Fortune 500 company left themselves exposed but it seems like a longshot,” writes Russell Brandom.
The takeaway from this is that sensationalism sells. As part of the media I bear some responsibility but here at Softonic, we strive to be accurate and avoid sensationalism. Online security is a real threat to us, but we should temper the fear with facts. Now with security firms like Hold Security profiting off our fear, we have to be skeptical of corporate interests as well.
I reached out to Hold Security, who did not immediately respond by the writing of this story.
Header image credit: 401(K) 2012
Follow Lewis on Twitter: @lewisleong