Well, the BBC and The New York Times have both published pieces on the Russian hackers “CyberVor”. The claim is that 1.2 billion user names and passwords from some 420,000 websites have been hacked. The sites/users affected, nature of the vulnerability, and severity of the threat have not been disclosed.
Skeptics have pointed out that, well, things don’t really add up. The biggest problem is that The New York Times was fed the CyberVor piece by Hold Security firm. This is the very same firm that stands to profit from this security breach, by charging $120/year for their services. The New York Times piece, to my eye, does not validate the information provided by Hold Security. The truth is that its in Hold Security’s interest to exaggerate the breach, and in The New York Times’ interest to report the story as quickly as possible. Without released facts or data, this entire story could have been fabricated by Hold Security. This is unlikely, as The New York Times piece claims that two unaffiliated sources verified the database as authentic. Still, experts seem to think the threat could be exaggerated.
So what does Hold Security know about CyberVor? According to The New York Times piece (which means according to Hold Security, who sell the solution to the CyberVor problem), CyberVor is made up of fewer than a dozen men in South Central Russia. Hold Security knows this because they have been in communication with them. Seriously.
I’ll be interested in seeing how this develops. As it is, I see a lot of big claims with no evidence or specifics, and the group making the claim profiting from the resulting panic. I also find it odd that CyberVor and Hold Security communicate. Is that normal? Do hackers usually chat with data security firms? I can’t even verify that CyberVor is a thing from anyone other than Hold Security because, well, Hold Security coined the term CyberVor, and that is all we have to go on.
As other skeptics have advised, however the threat plays out, taking cyber security seriously is a wise decision. I recently invested in password management software, and highly recommend it.