Yesterday, The New York Times dropped an exclusive account of what reporter Nicole Perlroth called "the biggest hack ever." By the numbers it certainly held up: 1.2 billion accounts, covering 500 million unique email addresses over 420,000 websites. The data had been captured by a Russian hacker group called CyberVor, and revealed by Hold Security. But as the smoke clears, the hack seems to be less of a criminal masterwork than the article might have you believe.
The biggest problem, as Forbes's Kashmir Hill and The Wall Street Journal's Danny Yadron have noted, is that Hold Security is already capitalizing on the panic, charging a $120-per-year subscription to anyone who wants to check if their name and password are on the list. Hold says it's just trying to recoup expenses, but there's something unseemly about stoking fears of cybercrime and then asking concerned citizens to pay up. It also gives Hold a clear incentive to lie to reporters about how large and significant the finding is.
Of course, facts are still facts, but even the hard data here is a little strange. If the idea of hacking 1.2 billion usernames sounds incredible, it should. There are just a handful of services with over a billion users — Facebook, Google Search, and Microsoft Office lead the pack — and if any of those were involved, Hold wouldn't be shy about saying so. Instead, this data comes from hundreds of thousands of compromises over the course of months. Comparing it to breaches like Adobe or Target, as Perlroth does repeatedly, simply doesn't make sense.
It would still be impressive if CyberVor had managed to hack that data across all 420,000 sites, but even that is unclear. Here's Hold Security's description of the attack:
Initially, the gang acquired databases of stolen credentials from fellow hackers on the black market. These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems. Earlier this year, the hackers altered their approach. Through the underground black market, the CyberVors got access to data from botnet networks... [which] used victims’ systems to identify SQL vulnerabilities on the sites they visited.... eventually ending up with the largest cache of stolen personal information, totaling over 1.2 billion unique sets of e-mails and passwords.
Notice anything odd? Both Perlroth's article and Hold Security's description stop short of saying the group actually stole all 1.2 billion passwords. They just "eventually ended up" with them. We already know the gang started out by buying data from earlier hacks, but it's remarkably unclear where the bought data ends and the stolen data begins. Many of the passwords could have been old data from someone else's hack.
Read more on this story at The Verge.
Comments
Log in or sign up to join the conversation.