The U.S. Company Profiting From That Huge Russian Password Hack

Aug 06, 2014 at 3:36 PM ET

The New York Times published a fascinating, scary scoop this week about a team of young Russian hackers who amassed a fortune in stolen credentials. Operating somewhere near the border of Kazakstan, the cyber gang devised a network of botnets around the world to break into some 420,000 websites. Ultimately, the hackers stole 1.2 billion usernames and passwords and promptly began selling them on the black market.

If you were one of the millions affected by this massive breach, well, sorry to say, it might cost you.

See, the original scoop that fueled the New York Times report came from a small security firm in Milwaukee called Hold Security. On its site, the privately held company describes itself as a deep web monitoring firm that works “with companies around the world to enhance their security posture.” Hold Security’s boss, Alex Holden, has already made a name for himself in the community by catching major online fraudsters (it was his firm that first detected the October 2013 Adobe hacking case).

Naturally, this sort of exposure is great for companies like these. Exposing massive hacks to the media demonstrates a keen awareness of what’s happening in the underground cyber communities. Isn’t the firm that detected one of the biggest security breaches in history the kind you’d trust to protect your identity online?

The incident, however, also exposes a slimier part of the security business. Despite being forthcoming with the huge figures involved, Hold Security did not actually disclose which websites or users the Russians targeted. Rather, it offered to help you find out for yourself by entering your credentials on its website. That is when things might start getting costly.

Granted, Hold Security notes that its Hold Identity subscription service—the one you’d use to see if you were targeted—”is FREE for 30 days if you sign up right now.” You put in your email address, and it should, theoretically, let you know if you’ve been a victim. “However,” the company says, “keep in mind that our database is getting constantly updated and even though your email might not be on the list right now, it might be in the future, which is where our continuous monitoring steps in.”

And what exactly is the continuous monitoring service? It’s paid program, naturally, starting at $120 per year.

Now this somewhat sketchy use of fees has been noted before. Yesterday Forbes questioned Holden directly. Writes Kashmir Hill: “It’s certainly in the interest of any security firm to portray the state of cybersecurity as dire to make their wares more appealing, and that’s something any reader should keep in mind when reading quotes from a security professional. But this is a pretty direct link between a panic and a pay-out for a security firm.”

Holden responded, “We are charging this symbolical fee to recover our expense to verify the domain or website ownership. While we do not anticipate any fraud, we need to be cognizant of its potential.”

Of course, other industries have plenty of corollaries. You can make the argument that burglary is good for home security businesses, or drug abuse is good for private rehab clinics. But the timing on the New York Times story is interesting. This week is the Black Hat conference in Las Vegas, an annual confab where the world’s top security software sellers hawk their products to companies. In other words, there’s a bit of showmanship and PR surrounding this story. For all the apparent altruism involved in reaching out to the Times, it can be easy to see Hold Security’s moves as an attempt to get new customers both private and corporate.

Ironically, if the release was indeed a cynical marketing strategy, it may very well be having an opposite effect. Observers have noted that Hold Security is seeing some blowback after the Times report—not just from press, but also from savvy potential customers.

“By refusing to make available the complete list of compromised sites Hold Security is choosing to be part of the problem,” writes Ronald Coleman on the Hold Security’s Facebook page. “It would appear that Hold Security is more interested in generating business than in helping the victims.”