Overview
According to the
New York Times a group of Russian hackers named CyberVor has managed to amass a shitload of user information:
A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.
The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites.
The New York Times and other media sources, credit Hold Security (and its owner Alex Holden) for finding the hacked data.
Is this a valid hack?
Yes (links to Politico).
The findings were verified by an independent security expert working on behalf of the Times
What sites were hacked?
At this point,
there is no way to know (links to Washington Post):
Hold wouldn’t name the victims, citing nondisclosure agreements and the fact that some sites remain vulnerable.
According to
PC Magazine, some of the data in CyberVor's database may have come from other high profile hacks:
The massive database of stolen online identification data purportedly owned by the Russian gang was not attained in a single attack, and in fact, most of the credentials it now possesses were likely purchased over time from other people, Holden said.
The Times speculated that credentials acquired by the gang might have come from both high-profile, corporate security breaches like the Target hack from late last year to simple, opportunistic penetrations of small online operations.
Interestingly, according to PC Magazine, Mr. Holden won't identify where the hacking team is located:
Holden declined to name the city, in the event that law enforcement might want to act on his Milwaukee-based company's findings.
How do users know if their credentials have been stolen?
This is where things get a little more "sketchy".
Apparently, Hold Security has been in contact with the Washington Post. In an email to the Post: "Holden clarified that the firm is offering to check people’s e-mails against their database of stolen information to see if it was compromised for free."
I have been on Hold Security's web site a number of times over the last few hours and I have not seen a simple form which allows a user to enter an email address to determine whether they have been impacted or not. What I have seen is a link to preregister for an "Identity Protection Service" which will be available in the next 60 days. Apparently, if you sign up for the yet to be released service, Hold Security will check the email address you provided to see if it matches one in the hacker's database. If there is a match between your email address and Hold Security's database, then:
If we discover that your email is on our list, we will ask you to provide an encrypted versions of your passwords to compare it to the ones in our database, so that we can let you know exactly which of your passwords have been compromised. Note that the passwords will be encrypted on your end using a very secure algorithm, so there would be no way for us or anybody else to read them in plain text. Once we find a match, we will let you know which of your passwords have been breached, so that you can go ahead and make the necessary changes to protect your information. We will check up to 15 passwords per email as we understand that many of us reuse the same email address on different websites, such as internet banking, social media etc. However, keep in mind that in some cases passwords may be very outdated or you might have some generic passwords assigned to you by various service providers.
Please note that we will not check any emails belonging to military or government domains.
I decided to investigate Hold Security's "Terms of Service". Here they are in their entirety:
Any use of the CONSUMER HOLD IDENTITY PROTECTION SERVICE shall be subject to, and in compliance with, Hold Security’s CONSUMER HOLD IDENTITY PROTECTION SERVICE terms and conditions, a copy of which shall be sent to you in a separate confirmation email.
So, you don't know what you get until
after you've signed up for it.
WTF? What do I do?
Honestly, I can't advise you. I am
not going to
pay up to $120 / month to a company for a product which hasn't been released yet. Step one for me will be to change my passwords for my most sensitive financial (banks, credit cards, etc.) information.
Diarist's note: I use the Web of Trust (WOT) plugin to determine whether a site is safe to visit. Hold Security is deemed "Suspicious" based on one user review.
Hold Security
Hold Security's page on the CyberVor hack
Hold Security Terms of Service