Slashdot Mirror
Massive Russian Hack Has Researchers Scratching Their Heads
itwbennett writes Some security researchers on Wednesday said it's still unclear just how serious Hold Security's discovery of a massive database of stolen credentials really is. "The only way we can know if this is a big deal is if we know what the information is and where it came from," said Chester Wisniewski, a senior security advisor at Sophos. "But I can't answer that because the people who disclosed this decided they want to make money off of this. There's no way for others to verify." Wisniewski was referring to an offer by Hold Security to notify website operators if they were affected, but only if they sign up for its breach notification service, which starts at $120 per year.
I'm getting pretty dubious of the entire claim. Some company wants to sell its security monitoring service, declares "we've got a huge database of stolen credentials, but we're not going to let you see it without paying up first, or at least signing up for a service that will bill you after 30 days."
I call BS.
The world's burning. Moped Jesus spotted on I50. Details at 11.
It sounds quite fishy because they ask for a 120$ subscription, not to let you access the data, but for a service that lets you know if you are affected by it or not.
- Here, my 120$, what's going on with this?
- You're not affected, goodbye.
- But, hey!
- You're not affected, goodbye.
Either they're in on the theft somehow, or they're a totally unethical company trying to extort people. No trustworthy security vendor would withhold information about sites that are compromised from the site operators.
I think it's just a marketing ploy personally. "You may have already won! Contact us for details ($1.99 a minute)".
Regardless, they're on my list of companies to never do business with in any way. I