8

Many news outlets seem to be reporting this story (NY Times article) about Russian hackers allegedly acquiring billions of usernames and passwords.

A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.

The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems.

However, the article is very vague, citing "nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable" as the reason for not publishing any names. The article claims that an independent "security expert" has verified the authenticity of the data, but this expert is not identified.

The only source given in the entire article, as far as I can tell, is Alex Holden of Hold Security, a company that, if I'm not mistaken, stands to benefit from people being highly concerned about cyber security. This has led some to question whether the entire incident is a hoax, or even a sly marketing attempt by Hold Security:

Yes, I expect security firms to make money for making the Internet more secure, but I am skeptical of a firm with a financial incentive in creating a panic to be the main source for a story that causes a panic.

(by Forbes' Kashmir Hill)

Is there any actual evidence to back up this story?

Community
  • 1
Stephan B
  • 180
  • 5
  • 2
    Given that no one here is likely to get access to the original data, what would you regard as actual evidence to back up the story? – P_S Aug 11 '14 at 07:12
  • @P_S: Fair point. I suppose evidence in support of it being a hoax would also suffice. – Stephan B Aug 11 '14 at 09:04
  • 3
    What would you regard as actual evidence in support of it being a hoax? Note: a picture of the couch in his office should Not be included in that category. – Spork Aug 11 '14 at 09:28
  • It seems very likely that [Brian Krebs is the unnamed security expert](http://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-email-accounts/). He states in that article that he has seen the data and asserts that it is real. – Ladadadada Aug 11 '14 at 11:51
  • Hold Security has a credential checker. According to reports on Twitter, it seems that you have to pay $120 to use it but if someone independent does so and can confirm that their password was found in the collection and that a fake password was not, that would help confirm it as real. – Ladadadada Aug 11 '14 at 11:57
  • 1
    @Ladadadada It should be noted that Brian Krebs has a financial stake in the matter so he isn’t impartial. – Konrad Rudolph Aug 12 '14 at 08:49
  • 1
    @KonradRudolph My purpose in stating that he has seen the data and asserts that it is real is to match him to the unnamed security expert who "verified the authenticity of the data". Krebs's assertion that the data is real does not make strong evidence that the data is actually real. He states in that article that he does not have a financial stake in this matter or Hold Security, do you have evidence that he is lying about that? – Ladadadada Aug 12 '14 at 10:55
  • @Ladadadada He’s a special advisor of Holden Sec: http://www.holdsecurity.com/about/advisory-board/ – As a special advisor he’s probably not paid by them (otherwise he would be lying) but he’s definitely got a vested interest in their success. More information about this (and generally relevant to this question) here: http://www.youarenotpayingattention.com/2014/08/08/the-lie-behind-1-2-billion-stolen-passwords/ – Konrad Rudolph Aug 12 '14 at 12:31
  • _"reluctance to name companies whose sites remained vulnerable"_ that's bullshit. If they are vulnerable, the vunlerability needs to be made public, otherwise they'll just stay lazy and not fix it. – o0'. Aug 24 '14 at 09:10

0 Answers0