Questions posed about mega-hack

wargames-hackerQuestions have been raised among the security community about a huge attack on US systems which is alleged to have stolen 1.2 billion user name and password combinations and more than 500 million email addresses.

The hack was discovered by an outfit called Hold Security and was claimed to include confidential material gathered from 420,000 websites, including household names, and small Internet sites.

Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems, so it should have been seen as a reliable source.

The company said the attack was found after more than seven months of research and was being carried out by a Russian cyber gang which is currently in possession of the largest cache of stolen data. While the gang did not have a name, we dubbed it “CyberVor”.

All cool stuff, but many of the comments about the hack online centre on the fact that Hold Security happens to offer a $120/month breach notification service so that people can find out if the hackers have their passwords on file.

Others have focused on the fact that Hold Security timed the announcement to fit with the Black Hat Security conference to spark a debate on password security.

PC World  said there were unanswered questions about the hack.

Hold Security said the hacking group started out buying stolen credentials on the black market, then used those credentials to launch other attacks. However, it is unclear how many credentials they bought and how many of the 1.2 billion they culled themselves. In other words, this database, if it exists, could be full of ancient data.

It is also not clear if the passwords that are alleged to be stolen came from important financial sites or less important ones. It is also questionable what the hackers would do with those details.

If they are fresh credentials for important services like online banking, they are ripe to be used to siphon money from online accounts. If they are older or from little-used services, they might be used to send spam by email or post it in online forums.