Once you get past the unprecedented numbers – the compromise of 4.5 billion records including 1.2 billion unique credentials and 500,000 email addresses, taken from more than 420,000 FTP/websites – the revelations by Hold Security of a data breach by a Russian gang dubbed CyberVor, appear to be an attack based on known vulnerabilities, but on an entirely new scale.
Much of the industry's reaction has focused on the renewed calls for an alternative to passwords, along with the whole issue of how such breaches are reported given Hold's failure to notify those breached, and its ‘novel' approach to monetising the discovery.
Hold's first inclination was to charge website owners to find out if their website was hacked, saying: “After we verify your identity and entitlements to the website(s) or domain(s), we can tell you if you have been impacted by this or other breaches.”
According to the Wall Street Journal, the firm posted a message on its site saying it would charge US$ 120 (£71) a month for its breach notification service, but this was later replaced by a message saying "coming soon!"
For individuals, Hold says it will be providing full a electronic identity monitoring service within the next 60 days. The company statement adds: “Even if you are currently using another Identity Protection Service, your electronic identity may still be vulnerable. While we are getting our full service ready, we are inviting you to express your interest by pre-registering, free of charge and without any commitment.”
James Mullock, lawyer and partner at international law firm Osborne Clarke, noted in a public statement: “An interesting feature of the attack having been uncovered by an independent security firm is the unstructured process by which news of which businesses have been hacked reaches those organisations. There is currently little legislative guidance regulating how that process should operate and it appears ripe for review."
Vanja Svajcer, principal security researcher at Sophos, concurred, adding in an email to SC: “This is quite an unusual approach to remediating an alleged major credentials compromise. For a long time the security industry has freely shared information on breaches within its own community. Researchers discovering credentials breaches usually help end users either by making the information about compromised accounts public or by working with the company whose servers were compromised to inform all affected users.
"In this case, the credentials were harvested from thousands of servers and it would be difficult to work with every server owner to inform the compromised users. Nevertheless, it is reasonable to expect the company to make the information freely available so everybody can check that none of their email addresses have been compromised."