Monday, 11 August 2014

Was the 1.2 billion passwords stolen story just a publicity stunt?

Last week the media was buzzing with the story that supposedly a Russian gang stole 1.2 billion passwords. But several experts, including ESET's, have raised questions whether the »news« wasn't just a publicity scam.

At ESET Ireland, we have ourselves noticed that the media love bombastic headlines. If known names get hacked, if governmental institutions lose data, or if many passwords are compromised, the security company revealing this will get a good share of publicity. This is why last week’s media frenzy about “1.2 billion passwords getting hacked by a Russian gang” raised many eyebrows.

What did the “report” say? Somewhere south central Russia, a group of men in their twenties

dubbed “CyberVor” gang (“vor” means “thief” in Russian), is thought to be in possession of the largest known haul of stolen internet credentials – 1.2 billion usernames and passwords, together with 542 million email addresses stolen from some 420,000 different websites.

We’re not saying such a thing is impossible, as cybercriminal groups do collect such information via SQL breaches as was hinted in this case, as well as trade data on their own black market. So a gang intent on hoarding the largest database, could through time amass the said amount of passwords. “Russian hackers” is always a welcome topic that gets attention, even if the statistics sometimes contradict this, so the story got massive global coverage.

And this is there the eyebrow raising begins. The company that revealed the info is called Hold Security, a company very few people heard about before this story and that doesn’t offer an address or phone number on their website. It did however get their story about this “massive hack” published in the New York Times just when the Black Hat and Def Con conferences with many of the world’s top security experts attending were taking place in Las Vegas.

However, Hold Security did not reveal in any way how they have discovered this, what exactly they have discovered, what they have obtained and how they have disclosed this to the affected websites so the webmasters can take pro- or reactive measurements. Cybersecurity expert Graham Cluley was among the first to express his concerns.

But what followed the shocking announcement left us even more baffled. Hold Security offered a service where they charge money for webmasters to find out if their websites were affected by the hack in a form, that is reminiscent of phishing websites, where they ask users to enter their passwords and email addressesfor them to “check” if they’ve been hacked! Tony Bradley of Minimal Risk commented in his blog, that the disclosure of Russian password hack seems like fake antivirus scam.

Kashmir Hill of Forbes made the connection between panic-mongering and making a profit in her article Firm That Exposed Breach Of 'Billion Passwords' Quickly Offered $120 Service To Find Out If You're Affected that “the Internet predictably panicked as the story of yet another massive password breach went viral” but that“you can pay ‘as low as $120’ to Hold Security monthly to find out if your site is affected by the breach.”

At ESET Ireland we agree it would be unwise to dismiss the possibility of such a hack and website developers, for instance, should ensure that they have reviewed their code for SQL injection vulnerabilities, as well as other commonly found flaws, but the scarcity (or refusal to present it) of evidence or additional info, as well as the shady business offer following it, leaves us all with a very strange aftertaste.