Are the credentials of one of your users among the stash of the 1.2 billion stolen passwords? A small Internet security company will tell you for just a 120 bucks per year. Their announcement was strategically made in the middle of the Black Hat convention.
Something smelly here, don't you think? Early last century we had real estate scammers here in Florida, that sold poor schmucks a safe and secure retirement in this state with bogus land deals. Well, even in our own industry you need to keep your eyes open and "Think Before You Click".
The press was all over this last week, starting with the New York Times, with a report released by Hold Security that over a 1 billion passwords from more than 400,000 allegedly compromised websites had been stolen by invisible Russian bad guys. Hold Security branded these people with as the sinister-sounding "CyberVor", with the word "vor" meaning thief in Russian.
Something did not sound right though, and a lot of security experts had this nagging feeling in the back of their mind. I was at Black Hat this week and I talked it over with my business partner Kevin Mitnick. We both were skeptical. I started to do some digging and came up with interesting data about that company and their what some people called called "aggressive marketing".
"Any report that involves someone stealing 1.2 billion passwords and if you pay me 120 bucks I'll tell you if your stuff has been stolen makes me really suspicious," said David Mortman, a contributing analyst to Securosis, a security research and advisory firm in Phoenix. "The whole thing leaves a bad taste in my mouth."
Alex Holden of Hold Security announced to the NYT that he had discovered Russian hackers had stolen over 4 billion usernames and passwords. After running a duplication check, that narrowed to 1.2 billion and, while not often reported, that list was further whittled down to around 500 million individual users via unique email addresses.
If you read Hold's official statement, it describes the company's tracking of "CyberVor". They claim that these bad guys bought stolen credentials from other criminal hackers, then used those credentials to spam and infect them with botnets, which in turn executed SQL injections in hundreds of thousands of of websites which allowed them to steal more than a billion emails and passwords. But note that there is no link to actual numbers or perhaps an audit result or any real proof. Not even a list of the affected websites is available with the excuse of "nondisclosure agreements." With whom? Here is the official Holden release so you can see for yourself: http://www.holdsecurity.com/news/cybervor-breach/
The "You Are Not Paying Attention" blog puts it like this:" How Alex Holden Spends Most of the Day Chillaxing on TOR and Lurking Russian Hack Boards". They said: "Holden himself has carefully collected this data over the span of a year or two, maybe even to the point of purchasing old information. Since lists like this have a very specific half-life, they were probably an aggregate of bargain bin purchases — thus why 4.1 billion quickly narrowed down to 1.2 billion and then to ~500 million unique email accounts."
I think you get the picture. Here is that blog, so you can check out the data and make up your mind if you want to spend $120 or not. IMHO, I think you should keep that money in your pocket and continue to enforce strong passwords and deploy defense-in-depth: