It was widely reported yesterday in The New York Times and elsewhere that a sophisticated Russian crime ring was holding a massive cache of stolen Internet credentials. According to the private security firm Hold Security, a Russian cybercriminal gang called CyberVor has accumulated 4.5 billion stolen records, including 1.2 billion unique usernames and passwords belonging to more than 500 million email addresses. CyberVor allegedly obtained the confidential material by raiding 420,000 websites. Hold Security maintains the breached websites include some very large companies that are “household names.” The New York Times article notes Hold Security “has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems.”
Over the past 24 hours, the reaction to the Hold Security press release has gone from shock and surprise, to doubt and skepticism. The trepidation is a result of Hold Security’s decision to not name the victims, citing confidentiality concerns. But, according to an article appearing in The Guardian, Hold Security initially offered a commercial “breach notification” service requiring consumers and companies to pay an up-front fee to see if they had been affected. Although the company offered a commercial security services as part of its report, Hold Security has since said it would allow consumers to check for free whether their usernames or passwords had been stolen.
In light of Hold Security's failure to completely disclose its findings, cybersecurity experts caution the report should be taken with a grain of salt. To date, the claims have not been vetted or the findings verified by third party security experts. Additionally, it is somewhat troubling that no major companies have so far come forward to urge their user to change credentials. Given the alleged magnitude of the breach—nearly 5 billion passwords—and the global coverage it has received, one would expect to have at least a few companies to have issued public statements if its users are at risk.
Seeking to address these concerns, Hold Security permitted a third party security expert to analyze their findings at the request of The New York Times. According to The New York Times, the expert confirmed the data was authentic.
While the validity of the claim by Hold Security is being viewed cautiously for now, as new facts emerge over the next few days and the cybersecurity industry investigates, Hold Security will either be vindicated or suffer an embarrassing black eye.