Questions around the severity of the so-called 1.2 billion account hack are circulating, after the security company that identified the data harvesting continues to decline to name the sites involved, instead offering a paid service for sites to check if they’d been compromised. Hold Security revealed the existence of the CyberVor breach to the New York Times earlier this week, claiming that sites as significant as those of Fortune 500 members were “still vulnerable” to the exploit.
At the time, however, the firm declined to detail exactly which companies were unsecured, though the NYT’s independent review of the data suggested the amassed credentials were legitimate. It also appears not to have approached any of the sites supposedly affected to notify them.
Instead, Hold Security began offering what it describes as “breach notification services” which, for a $120 yearly fee, will monitor threats for website owners.
Asked by the WSJ about the product, Hold Security’s founder and CEO Alan Holder said the company had opted to “avoid discussing details about the hackers whereabouts and names in case law enforcement has an ongoing investigation.” As for the decision to charge for verification, that’s simply to recoup its own investigation costs, he argued.
So far, the applications of the CyberVor data have been limited to social media spamming.
The Russian-based team is said to have gathered login credentials – including usernames, emails, and passwords – from a wide range of compromised sites, with Hold Security claiming the hackers used a botnet of exploited computers to quickly test servers for weaknesses to SQL injection.
Currently there’s still no way for individuals to see whether their own credentials are among the list, though opinions on how concerned people should be vary.
“To amass 1.2 billion username and passwords is impressive but it is not a security threat. This data could have come from dumps on a public web site,” Neohapsis security researcher Joe Schumacher argued. “Personally, I think this is more PR for a crime ring than fear mongering to the general end user.”
Still, no matter where they were sourced, there’s the possibility of phishing attempts using those login details, and the general advice is to regularly change your password even if you don’t specifically know of a hacking attempt that may have revealed it.