Disclosure of Russian password hack seems like fake antivirus scam

There were plenty of hyperbolic, sky-is-falling headlines yesterday about news that a Russian criminal organization has amassed over a billion compromised passwords. The information was vague and scarce on details, though, and accompanied by a pitch to sell a service from a virtually unknown security vendor. The whole thing feels like a marketing stunt, or a fake antivirus scam perpetrated on a global level.

Let me back up one step, and say that I don’t actually believe it’s a scam. It just has many of the same attributes of a fake AV scam. Hold Security isn’t a household name, but it was involved in exposing the Adobe data breach last year, and there is no reason to assume the breach they’re reporting this time isn’t true.

That said, the combination of over-the-top hyperbole and a lack of details seems sketchy. The Hold Security website goes so far as to label this “the largest security breach.” If true, I won’t argue that 1.2 billion passwords is some sort of record, but if we want to split hairs I don’t agree that it’s the largest breach because the compromised credentials were collected from hundreds of thousands of sites, which is not the same as a single company like Target getting hacked.

I’m not suggesting that this news isn’t cause for concern, though. It is obviously a problem if cybercriminals have a database of 1.2 billion passwords, and 500 million email addresses, from 420,000 vulnerable websites. The problem is that Hold Security was intentionally nebulous about how the information was compromised, or which sites were affected—citing nondisclosure agreements, and concerns that many of the affected sites are still vulnerable.

Does this scenario seem at all familiar? Have you ever received a mysterious pop-up alert on your PC notifying you that a scan has detected untold scary numbers of malware infections—even though the alert wasn’t from the antimalware tool you have installed, or you don’t actually have anything installed in the first place? Have you ever clicked on that notification to discover that this mysterious malware Samaritan also offers a solution, and will gladly eradicate the phantom malware from your system for some sum of money?

Hopefully that hasn’t happened to you personally, but fake AV threats have been around for a while so there’s a fair chance that somebody you know has been hit, and probably even a good chance at least one person you know has actually coughed up the cash to remove the malware threats that weren’t really there.

In this case, the reports seem plausible enough. It is not hard to believe that hundreds of thousands of websites have some weakness, or that Russian hackers may have developed some automated bot capable of scouring the Internet to find vulnerable sites and harvest the information. It’s just a little hard to swallow without some corroborating evidence.

The NY Times article that broke this story claims to have had independent security experts review some of the allegedly compromised data, and that those security experts verified that the claims made by Hold Security appear legitimate. Other than having never heard of them, I have no reason to believe Hold Security is actually trying to perpetrate a scam, and I don’t really mean to imply that. I just feel like the way this news was disclosed, and the fact that Hold Security immediately started using it as bait to try and market its own services smells the same as your typical fake AV scam.

I am not alone, either. Forbes writer Kashmir Hill noted the direct link between inciting panic, and then cashing in on the fallout. She added, “Yes, I expect security firms to make money for making the Internet more secure, but I am skeptical of a firm with a financial incentive in creating a panic to be the main source for a story that causes a panic.”

Respected security expert Graham Cluley wrote a blog post proclaiming, “I have no doubt that the scale of the CyberVor hacking gang’s ill-gotten gains will make numerous headlines over the coming days, but what I would rather see is Hold Security share comprehensive details of what it has discovered with the public, and for clear advice to be shared with organizations and individuals on how to avoid becoming victims in future.”

Should you take the news seriously and change your passwords or something? Sure. Why not. It’s probably been a few weeks since you did that last time. Keep in mind, though, that if the reports are true and the affected sites haven’t done anything to fix whatever flaw is being exploited, your new password will also be compromised.

Good news, though. Hold Security will help you keep an eye on things…for a fee.