BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Firm That Exposed Breach Of 'Billion Passwords' Quickly Offered $120 Service To Find Out If You're Affected

This article is more than 9 years old.

The New York Times dropped the freakiest security story since Heartbleed Tuesday, warning people that a "Russian gang has amassed over a billion passwords." The story provides few details beyond hyperbolic numbers: "1.2 billion username and password combinations" and "more than 500 million email addresses" are in the hands of a group of 20-something hackers in Russia, according to the report. No specifics about the state of those passwords: whether they're in clear-text -- the worst case scenario -- or in encrypted form. The Internet predictably panicked as the story of yet another massive password breach went viral.

We don't know whose email addresses are included or which sites are affected, which helps fuel insecurity hysteria. The only use of the passwords the story mentioned was the hackers using them to break into Twitter accounts to send out spammy messages. The NYT says it found out about the hack from Alex Holden, of Milwaukee-based Hold Security, a security firm that looks for big hacks. He said the hackers got the passwords using a botnet and SQL injections -- a popular hacking technique -- but Holden "would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable," reported the Times, which asked a third-party security expert to confirm that Hold Security's database of stolen credentials was "authentic." Holden wasn't giving out details but he was willing to pump up the danger of the breach, telling the Times: "Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites. And most of these sites are still vulnerable."

Panic time, right? You can't even change your passwords to protect yourself because you don't know which websites are affected or if they're still vulnerable. This is the worst kind of news, spare on details and causing a panic without offering a solution. Oh wait, but there is a solution! You can pay "as low as $120" to Hold Security monthly to find out if your site is affected by the breach. Hold Security put a page up on its site about its new breach notification service around the same time the New York Times story went up.

"In addition to continuous monitoring, we will also check to see if your company has been a victim of the latest CyberVor breach," says the site's description of the service using its pet name for the most recent breach. "The service starts from as low as 120$/month and comes with a 2-week money back guarantee, unless we provide any data right away."

Hold Security replaced this with a "Coming soon" message shortly after it drew attention on Twitter

Shortly after Wall Street Journal reporter Danny Yadron linked to the page on Twitter and asked questions about it, the firm replaced the description of the service with a "coming soon" message.

Holden says by email that the service will actually be $10/month and $120/year. "We are charging this symbolical fee to recover our expense to verify the domain or website ownership," he says by email. "While we do not anticipate any fraud, we need to be cognizant of its potential. The other thing to consider, the cost that our company must undertake to proactively reach out to a company to identify the right individual(s) to inform of a breach, prove to them that we are the 'good guys'. Believe it or not, it is a hard and often thankless task."

It's certainly in the interest of any security firm to to portray the state of cybersecurity as dire to make their wares more appealing, and that's something any reader should keep in mind when reading quotes from a security professional. But this is a pretty direct link between a panic and a pay-out for a security firm. Yes, I expect security firms to make money for making the Internet more secure, but I am skeptical of a firm with a financial incentive in creating a panic to be the main source for a story that causes a panic.  If nothing else, it should be disclosed in the New York Times story that the firm that reported a major breach hoped to directly profit from it. We don't just need hashed passwords salted, we need grains of salt in our reporting around security.