Skip to main content


According to the New York Times a group of Russian hackers named CyberVor has managed to amass a shitload of user information:
A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.

The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites.

The New York Times and other media sources, credit Hold Security (and its owner Alex Holden) for finding the hacked data.

Is this a valid hack?

Yes (links to Politico).
The findings were verified by an independent security expert working on behalf of the Times

What sites were hacked?

At this point, there is no way to know (links to Washington Post):
Hold wouldn’t name the victims, citing nondisclosure agreements and the fact that some sites remain vulnerable.
According to PC Magazine, some of the data in CyberVor's database may have come from other high profile hacks:
The massive database of stolen online identification data purportedly owned by the Russian gang was not attained in a single attack, and in fact, most of the credentials it now possesses were likely purchased over time from other people, Holden said.

The Times speculated that credentials acquired by the gang might have come from both high-profile, corporate security breaches like the Target hack from late last year to simple, opportunistic penetrations of small online operations.

Interestingly, according to PC Magazine, Mr. Holden won't identify where the hacking team is located:
Holden declined to name the city, in the event that law enforcement might want to act on his Milwaukee-based company's findings.

How do users know if their credentials have been stolen?

This is where things get a little more "sketchy".  

Apparently, Hold Security has been in contact with the Washington Post.  In an email to the Post: "Holden clarified that the firm is offering to check people’s e-mails against their database of stolen information to see if it was compromised for free."  

I have been on Hold Security's web site a number of times over the last few hours and I have not seen a simple form which allows a user to enter an email address to determine whether they have been impacted or not.  What I have seen is a link to preregister for an "Identity Protection Service" which will be available in the next 60 days.  Apparently, if you sign up for the yet to be released service, Hold Security will check the email address you provided to see if it matches one in the hacker's database.  If there is a match between your email address and Hold Security's database, then:

If we discover that your email is on our list, we will ask you to provide an encrypted versions of your passwords to compare it to the ones in our database, so that we can let you know exactly which of your passwords have been compromised. Note that the passwords will be encrypted on your end using a very secure algorithm, so there would be no way for us or anybody else to read them in plain text. Once we find a match, we will let you know which of your passwords have been breached, so that you can go ahead and make the necessary changes to protect your information. We will check up to 15 passwords per email as we understand that many of us reuse the same email address on different websites, such as internet banking, social media etc. However, keep in mind that in some cases passwords may be very outdated or you might have some generic passwords assigned to you by various service providers.
Please note that we will not check any emails belonging to military or government domains.
I decided to investigate Hold Security's "Terms of Service".  Here they are in their entirety:
Any use of the CONSUMER HOLD IDENTITY PROTECTION SERVICE shall be subject to, and in compliance with, Hold Security’s CONSUMER HOLD IDENTITY PROTECTION SERVICE terms and conditions, a copy of which shall be sent to you in a separate confirmation email.
So, you don't know what you get until after you've signed up for it.

WTF? What do I do?

Honestly, I can't advise you.  I am not going to pay up to $120 / month to a company for a product which hasn't been released yet.  Step one for me will be to change my passwords for my most sensitive financial (banks, credit cards, etc.) information.

Diarist's note: I use the Web of Trust (WOT) plugin to determine whether a site is safe to visit.  Hold Security is deemed "Suspicious" based on one user review.
Hold Security
Hold Security's page on the CyberVor hack
Hold Security Terms of Service

Your Email has been sent.
You must add at least one tag to this diary before publishing it.

Add keywords that describe this diary. Separate multiple keywords with commas.
Tagging tips - Search For Tags - Browse For Tags


More Tagging tips:

A tag is a way to search for this diary. If someone is searching for "Barack Obama," is this a diary they'd be trying to find?

Use a person's full name, without any title. Senator Obama may become President Obama, and Michelle Obama might run for office.

If your diary covers an election or elected official, use election tags, which are generally the state abbreviation followed by the office. CA-01 is the first district House seat. CA-Sen covers both senate races. NY-GOV covers the New York governor's race.

Tags do not compound: that is, "education reform" is a completely different tag from "education". A tag like "reform" alone is probably not meaningful.

Consider if one or more of these tags fits your diary: Civil Rights, Community, Congress, Culture, Economy, Education, Elections, Energy, Environment, Health Care, International, Labor, Law, Media, Meta, National Security, Science, Transportation, or White House. If your diary is specific to a state, consider adding the state (California, Texas, etc). Keep in mind, though, that there are many wonderful and important diaries that don't fit in any of these tags. Don't worry if yours doesn't.

You can add a private note to this diary when hotlisting it:
Are you sure you want to remove this diary from your hotlist?
Are you sure you want to remove your recommendation? You can only recommend a diary once, so you will not be able to re-recommend it afterwards.
Rescue this diary, and add a note:
Are you sure you want to remove this diary from Rescue?
Choose where to republish this diary. The diary will be added to the queue for that group. Publish it from the queue to make it appear.

You must be a member of a group to use this feature.

Add a quick update to your diary without changing the diary itself:
Are you sure you want to remove this diary?
(The diary will be removed from the site and returned to your drafts for further editing.)
(The diary will be removed.)
Are you sure you want to save these changes to the published diary?

Comment Preferences

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site