I've Been Mugged Blog

It has been an interesting week for Hold Securities, LLC, an information security, risk management, and incident response company. In an August 5 news release with the sensational headline, "You Have Been Hacked," the company announced:

"... Hold Security’s Deep Web Monitoring practice in conjunction with our Credential Integrity Services discovered what could be arguably the largest data breach known to date... After more than seven months of research, Hold Security identified a Russian cyber gang which is currently in possession of the largest cache of stolen data... over 4.5 billion records, mostly consisting of stolen credentials. 1.2 billion of these credentials appear to be unique, belonging to over half a billion e-mail addresses. To get such an impressive number of credentials, the CyberVors robbed over 420,000 web and FTP sites..."

Hold Security named the gang of Russian hackers "CyberVors." The company's news release also described how the hack happened:

"Initially, the gang acquired databases of stolen credentials from fellow hackers on the black market. These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems. Earlier this year, the hackers altered their approach. Through the underground black market, the CyberVors got access to data from botnet networks... These botnets used victims’ systems to identify SQL vulnerabilities on the sites they visited..."

Reportedly, the total hack was 4.5 billion username/e-mail and password pairs... a stunning total. The haul included some duplicates and passwords no longer used:

"If we narrow it down by unique e-mail addresses, we still have over half a billion records since there may be multiple password corresponding to a single e-mail address. Not all of them are valid or current. Some people use fake e-mail addresses, in other cases the CyberVor gang might have stolen credentials that belonged to an e-mail address that you no longer have... or a password that you haven’t used for over a decade, or even a default password automatically assigned to you by a website."

News about the hacking was widely reported by news organizations, including the New York Times on August 5:

"Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information."

Also on August 5, Forbes magazine reported:

"The story provides few details beyond hyperbolic numbers: 1.2 billion username and password combinations... No specifics about the state of those passwords: whether they’re in clear-text — the worst case scenario — or in encrypted form.... "

Users in multiple countries were affected, and Hold Security did not provide a list of countries. The Forbes article described Hold Security's announcement of its subscription service including continuous monitoring for firms and consumers:

"You can pay “as low as $120″ to Hold Security monthly to find out if your site is affected by the breach. Hold Security put a page up on its site about its new breach notification service around the same time the New York Times story went up... Shortly after Wall Street Journal reporter Danny Yadron linked to the page on Twitter and asked questions about it, the firm replaced the description of the service with a “coming soon” message. Holden says by email that the service will actually be $10/month and $120/year."

The Forbes article was critical of both Hold Security and the New York Times:

"Yes, I expect security firms to make money for making the Internet more secure, but I am skeptical of a firm with a financial incentive in creating a panic to be the main source for a story that causes a panic. If nothing else, it should be disclosed in the New York Times story that the firm that reported a major breach hoped to directly profit from it."

I agree with that criticism of Hold Security. The same Hold Security news release also appeared to be a product announcement:

"Companies -- check if your website is susceptible to a SQL injection... Hold Security is proud to announce our new Breach Notification Service (BNS). After we verify your identity and entitlements to the website(s) or domain(s), we can tell you if you have been impacted by this or other breaches..."

"Individuals -- the ultimate victims of the CyberVor gang are the end-users. Hold Security is proud to announce that we will be providing full electronic identity monitoring service to all the individuals within the next 60 days. Even if you are currently using another Identity Protection Service, your electronic identity may still be vulnerable..."

I would have liked the New York Times reporters to have use more skepticism. The Guardian UK reported on August 6:

"Security researchers from Kaspersky, Symantec and University College London have questioned the news reported on Tuesday that private security firm Hold Security had identified a Russian cybercriminal gang called CyberVor, which had amassed a database of more than 4.5bn stolen records... Cybersecurity experts are concerned that Hold Security has not yet made the data public or available for confirmation by users."

The Guardian UK article concluded with this advice for consumers:

"Security experts are advising that users keep aware of developments with the CyberVor breach, but that immediately changing all their passwords is not yet the appropriate action."

Experts also advised consumers not to use the same password in multiple sites (e.g., bank accounts, social networking sites, e-mail services, etc.). When you do, it makes it easy for criminals to hack into your accounts and steal money.

The Verge offered more reasons for skepticism:

"If CyberVor were shopping for the Fortune 500 data instead of cracking systems, on the other hand, the group would have had plenty of options. The data could have come from Target, LinkedIn, or an upstream breach like the Global Payments hack in 2012. All that data is still kicking around the darker corners of the web, available to anyone willing to pay for it. The usernames get cheaper as they get older, so in the case of a two-year-old hack like Global Payments, counting to a billion wouldn't even be that expensive. The biggest red flag of all, though, is that CyberVor isn't trying to sell the data or use it to steal actual money... If there were anything else they could do with these passwords, it would be more lucrative and more sustainable than spamming..."

You can read about the Target and Global Payments breaches in this blog. After reading about the CyberVors hack, I had two reactions:

1. Something doesn't seem quite right.

During the past seven years I've written this blog, I have learned that companies experiencing data breaches usually hire a security firm to assist with the breach investigation and post-breach incident management. Companies usually notify users and customers affected by the data breach. That notice often includes some period (e.g., one or two years) of free credit monitoring services. The security firm rarely, if ever, marketed any subscription monitoring services directly to consumers without a client company.

So, what Hold Security has done seemed to have skipped a couple steps... important steps. It's critical for the affected companies to do their own breach investigations and notify their affected users and/or customers. The breach notification laws in many states require such notice.

2. There may be an unreported story that needs to be told.

The New York Times article reported this about its conversations with Alex Holden, the founder and chief information officer at Hold Security:

"“They audited the Internet,” Mr. Holden said."

Assuming that the "they" refers to the CyberVors hacking gang, it suggested that the gang may have capabilities to analyze e-mail and password combinations. Do hackers employ state-of-the art data mining or "bigdata" analysis techniques? If so, that is a scary thought with consequences.

Such analyses could make it easier to guess passwords. If a database of stolen e-mail and password pairs includes the history of a user's passwords, it could make it easier to predict a current passwords. Here's a simple example (using an extremely poorly constructed password). A consumer used the "123password" password in 2013, then changed it to "234password" in 2014. It doesn't take a genius to guess that the user's probable next password would be "345password". If criminals are analyzing the databases they've compiled of stolen e-mail/password pairs, we need to know. I would expect security companies and news organizations to investigate, confirm, alert consumers.

What are your opinions of the CyberVors hacking? Of Hold Security's subscription services?