Hold Security has reported another major hacking crisis. 1.2 billion people were reportedly affected by a ring of Russian hackers. However, some critics say Hold Security needs to be scrutinized, because they could be profiting from these massive data breaches. Here are both sides of the story about Hold Security.
1. Hold Security Reported the ‘1.2 Billion’ Victims Figure
Get some tips on how to protect yourself from identity theft in the video above.
Hold Security says 1.2 billion online accounts might have been compromised by a Russian hacking ring. Hold Security wrote a blog post on their site entitled “You Have Been Hacked!” In the post, they explain how they discovered that Russian hackers had been linked to the data breach:
“Hold Security identified a Russian cyber gang which is currently in possession of the largest cache of stolen data. While the gang did not have a name, we dubbed it ‘CyberVor’ (‘vor’ meaning ‘thief’ in Russian).
The CyberVor gang amassed over 4.5 billion records, mostly consisting of stolen credentials. 1.2 billion of these credentials appear to be unique, belonging to over half a billion e-mail addresses. To get such an impressive number of credentials, the CyberVors robbed over 420,000 web and FTP sites…
4.5 billion credentials seems like an impossible number, but just think of how many sites require you to register your e-mail address…A credential pair is a combination of user id (mostly e-mail) and password and we have discovered 1.2 billion of such unique pairs that have been breached.”
2. Hold Security Also Reported Another Massive Breach
360 million stolen credentials found floating on the blackmarket as we announce our Credential Integrity Services http://t.co/4K7GZCZT1x
— HoldSecurity (@HoldSecurity) February 26, 2014
The Hold Security name may be familiar to readers who followed our coverage of a massive data breach in February. Hold Security reported that 360 million people were affected by that hack. Additionally, 1.25 billion emails were exposed during this breach.
3. Critics Worry Hold Security Is Profiting From These Breach Reports
California residents must be told by law if their info is compromised. Don't pay Hold Security. http://t.co/VlOnmblcUj
— Arik Hesseldahl (@ahess247) August 6, 2014
Some tech websites, including the Verge, are critical of Hold Security. The Verge says that Hold Security’s report on the Russian hackers “doesn’t add up,” arguing that is “capitalizing on the panic” surrounding the news of this massive hack. They write:
“Hold Security is already capitalizing on the panic, charging a $120-per-year subscription to anyone who wants to check if their name and password are on the list. Hold says it’s just trying to recoup expenses, but there’s something unseemly about stoking fears of cybercrime and then asking concerned citizens to pay up. It also gives Hold a clear incentive to lie to reporters about how large and significant the finding is.”
The Verge’s report goes on to note that Hold Security might have misrepresented the activities of these Russian hackers:
“Hold Security’s description stop[s] short of saying the group actually stole all 1.2 billion passwords. They just ‘eventually ended up’ with them. We already know the gang started out by buying data from earlier hacks, but it’s remarkably unclear where the bought data ends and the stolen data begins. Many of the passwords could have been old data from someone else’s hack.”
4. Kaspersky & Symantec Also Question News of the Russian Hack
The Guardian reports that security researchers from Kaspersky, Symantec and University College London have all questioned Hold Security’s findings.
Researcher Brad Karp told reporters, “It’s plausible that they have found this many credentials, but whether they actually have or not we would need to see more data. We’ve been told independent experts have verified it, but we haven’t seen what they’ve verified and we don’t know who they are.”
5. Hold Security Has Made Some Questionable Changes to Its Website
Forbes reports that Hold Security recently made some changes to its website that might raise a few eyebrows.
“Hold Security put a page up on its site about its new breach notification service around the same time the New York Times story [about the “CyberVor” breach] went up…
‘The service starts from as low as 120$/month and comes with a 2-week money back guarantee, unless we provide any data right away.’
Shortly after Wall Street Journal reporter Danny Yadron linked to the page on Twitter and asked questions about it, the firm replaced the description of the service with a ‘coming soon’ message.”
With Yadron shining a spotlight on Hold Security’s refusal to name those who might be affected in his report, it does seem telling that Hold Security pulled down a part of its site.