The Washington PostDemocracy Dies in Darkness

Russian hackers steal more than 1 billion passwords. Security firm seizes opportunity.

For security firms, a major online security breach is a potential marketing opportunity.

The latest is legitimately scary: Russian hackers stole 1.2 billion unique username and password combinations – that’s nearly the population of China – and more than 500 million e-mail addresses, according to a New York Times story published late Tuesday.

The firm that uncovered the breach, Hold Security of Milwaukee, said a group of about 20 hackers from south-central Russia are to blame. The group, dubbed “CyberVor” (“vor” meaning “thief” in Russian), stole data from thousands of businesses Web sites, both small and large, and even from personal Web sites.

At the Times’s request, a security expert not affiliated with Hold analyzed the database of stolen information and confirmed its authenticity.

Alex Holden, the founder and chief information security officer of Hold, told the Times most of the sites remain vulnerable.

The criminals have sold some of the records online, but mostly seem to be using the information to send marketing pitches and other spam on social networks on behalf of others who pay them for it, the Times reported.

Hold wouldn’t name the victims, citing nondisclosure agreements and the fact that some sites remain vulnerable.  However, Hold Security would be happy to sell you its services.

Last night, if you got to Hold Security’s Web site, a bright red box said “Breaking News: Hold Security uncovers the largest ever security breach! Over one billion of stolen credentials to thousands of websites!”

Click the link and you’re taken to a page that says “YOU HAVE BEEN HACKED!” followed by a description of the breach. “Do not panic! Try to strategize,” they write, before inviting you to sign up for a 30-day free trial of an identify theft monitoring service that is not available yet. (They say it will be up and running within 60 days.)

You can almost hear a TV announcer saying “…and then only $9.99 a month!”

An attempt to pre-register around 11:00 p.m. on Tuesday resulted in this e-mail confirmation message (typo is theirs):

Was you identity compromised?

Account Confirmation

Confirmation failed. Please try again later.

However, the firm appears to be up late working out the kinks. A subsequent attempt to register several hours later was successful.

In an e-mail to The Washington Post, Holden clarified that the firm is offering to check people’s e-mails against their database of stolen information to see if it was compromised for free. However, on the Web site the firm suggests you aren’t really safe unless pay for their monitoring services: “Keep in mind that our database is getting constantly updated and even though your email might not be on the list right now, it might be in the future, which is where our continuous monitoring steps in.”

In an e-mail to The Post, Holden described the offer to run the free e-mail check as “a good social decision but not so good business decision.”

It appears the firm initially planned to charge for its services. According to Forbes reporter Kashmir Hill, after the Times story ran Hold Security’s Web site advertised its services to potential victims of the breach for “as low as 120$/month [sic]” with a “money back guarantee.”

Wall Street Journal reporter Danny Yadron noticed Hold’s ad and tweeted about it. It was quickly taken down. A modified version has since appeared offering pre-registration for the free 30-day trial.

Holden told Forbes in an e-mail that the paid service will be $10 per month or $120 per year. “We are charging this symbolical fee to recover our expense to verify the domain or website ownership,” he said. “While we do not anticipate any fraud, we need to be cognizant of its potential. The other thing to consider, the cost that our company must undertake to proactively reach out to a company to identify the right individual(s) to inform of a breach, prove to them that we are the ‘good guys’. Believe it or not, it is a hard and often thankless task.”

It’s normal for security firms to charge people for information about the breaches they uncover – that’s how they get paid for the work that they do. But as Hill noted, “this is a pretty direct link between a panic and a pay-out for a security firm. Yes, I expect security firms to make money for making the Internet more secure, but I am skeptical of a firm with a financial incentive in creating a panic to be the main source for a story that causes a panic.”