Mega password hijack

MichaelB

MichaelB

Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Site Team
Joined
Jan 31, 2008
Messages
40,825
Location
Chicagoland
I've been trying to hit Hold Security's website all morning. According to the articles I've read, you can find out if your email address was part of the thefts.

But their website is unavailable, or running REAL slow to the point it doesn't work.

I suppose they're being slammed with visitors after this article came out.
 
My mind is getting around the fact that there are more than a billion passwords in existence.

Looks like some password changing homework to do soon. :facepalm:

I wonder what does Edward Snowden have to say about this :LOL:
 
Last edited:
Note that there appears to be a fake Hold Security website with which you can register your name and email, then enter up to 11 passwords "bellow" with which they will determine if "you" security has been compromised. They swear that they won't get your passwords when you enter them, honest!

Just be careful what you enter online...
 
Last edited:
This sounds like it's more hype than substance to me.
 
sengsational - Sounds legit to me: "At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information."

I changed our financial website passwords this morning. Took only a few minutes. Not worried about my email or social passwords. Doubt a Russian hacker could make me look dumber on Twitter than I already do.
 
I'm just looking at the way the information was written-up on that Hold Security site. Reading between the lines, it looks to me like some hacker entity gathered up a bunch of credentials that have been collected from dinky web sites using SQL injection. I suspect the collection of these credentials spans years. SQL injection is as old as the hills, and big boys, like your bank, know how to protect against it. And this Hold Security looks like a mom and pop shop that is trying to make money (pay them $120 to see if your site was hacked).

Changing your password is always a good idea, but I'm not going to do it because of this flakey bit of news!
 
I saw this news on Ars Technica, but they only referenced the NYT report and had nothing to add. It is strange, and there is a faint aroma of a PR effort. In hacking, however, I see no reason to give the benefit of the doubt to the status quo, previous major hacks have been acknowledged after reporting by third parties. If this is a new hack it will be soon confirmed.
 
Based on the appearance of Hold Security's online app (cited in my post above), I wouldn't use it. If you're a professional organization, you don't have simple misspellings like that. I'm not taking their word for it... rather than check with their "30-day free trial," I'll just change my random passwords at my financial places tonight.
 
sengsational said:
I'm just looking at the way the information was written-up on that Hold Security site. Reading between the lines, it looks to me like some hacker entity gathered up a bunch of credentials that have been collected from dinky web sites using SQL injection. I suspect the collection of these credentials spans years. SQL injection is as old as the hills, and big boys, like your bank, know how to protect against it. And this Hold Security looks like a mom and pop shop that is trying to make money (pay them $120 to see if your site was hacked).

Changing your password is always a good idea, but I'm not going to do it because of this flakey bit of news!
Click to expand...

Funny, I came to the same conclusion after a meeting with our CIO this morning who asked me to look into the details. Besides login credentials are stolen all the time (via key loggers, viruses, social engineering, phishing etc). It all seems like a hype to me (and great for the multi-factor authentication companies to push their products).
 
Last edited:
Who's Hold Security? No one ever has heard of them, oh wait NOW we have!

If that many userids/passwords were stolen (1.2B) it's going to take some time to use them. I'm careful about emails. Bottom line I'm not jumping through hoops every X days or Y weeks these announcements are released. My userids (when I can create them vs my email address being the site default) and passwords are all long and complex. My security/secret questions are total BS. Are they safe? I don't know. I don't store credit card info on any website rather I go through the annoyance of having to enter it and beside my cc companies won't hold me liable for fraud.

I have 3 financial institutions that I deem important, 2 for retirement investments both household names and an online bank. I could change those 3 but if I do I'll be back to doing it again before we have a full cycle of the moon. If they released the names of the institutions, companies et al then if effected I'd change them but they aren't so maybe I'm not effected.
 
footenote said:
sengsational - Sounds legit to me: "At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information."

I changed our financial website passwords this morning. Took only a few minutes. Not worried about my email or social passwords. Doubt a Russian hacker could make me look dumber on Twitter than I already do.
Click to expand...
I wouldn't be careless with your email account. If someone hacks into your email, they can then go into your other accounts and use the Forgot Password option to have a new password or activation link sent to that email account, and now they are into your other accounts.

Whether this is legit or not, I'm not sure, but I did change my email and financial institution accounts today. Better safe than sorry.
 
Here is Kreb's take on the matter. IMHO, he is an authoritative source.

Q&A on the Reported Theft of 1.2B Email Accounts — Krebs on Security

Regarding the person who runs Hold Security he states:

I’ve known Hold Security’s Founder Alex Holden for nearly seven years. Coincidentally, I initially met him in Las Vegas at the Black Hat security convention (where I am now). Alex is a talented and tireless researcher, as well as a forthright and honest guy.
Click to expand...

Alex isn’t keen on disclosing his methods, but I have seen his research and data firsthand and can say it’s definitely for real. Without spilling his secrets or methods, it is clear that he has a first-hand view on the day-to-day activities of some very active organized cybercrime networks and actors.
Click to expand...
 
Last edited:
RunningBum - Excellent point.
*sighs*
*changes email passwords*

Chuckanut - Agree, Hold Security is legit. Plus NYTimes claims they had independent experts verify the claim.

I'd rather change passwords than not change them and then wake up tomorrow to see that Vanguard userid/pwords were compromised... :facepalm:
 
sengsational said:
I'm just looking at the way the information was written-up on that Hold Security site. Reading between the lines, it looks to me like some hacker entity gathered up a bunch of credentials that have been collected from dinky web sites using SQL injection. I suspect the collection of these credentials spans years. SQL injection is as old as the hills, and big boys, like your bank, know how to protect against it. And this Hold Security looks like a mom and pop shop that is trying to make money (pay them $120 to see if your site was hacked).

Changing your password is always a good idea, but I'm not going to do it because of this flakey bit of news!
Click to expand...
I like your attitude! :)

I change my financial passwords once per year. If you suddenly see Lsbcal with misspellings and Russian sounding English mis-phrasings, you know I've been hacked.

As they said in one memorable movie, "Russians coming, please to get from street!"
 
So I read this article Q&A on the Reported Theft of 1.2B Email Accounts — Krebs on Security and it seems that the theft is of email userids and passwords not from companies or financial institutions. As noted in the article, if you use your email userid and/or password in other places you are in deeper trouble than if you use unique one for all places. Of course we all know that and hopefully follow that. So maybe changing your email password is prudent, I don't think I can change my userid as it is my email address.
http://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-email-accounts/
 
veremchuka said:
So I read this article Q&A on the Reported Theft of 1.2B Email Accounts — Krebs on Security and it seems that the theft is of email userids and passwords not from companies or financial institutions. As noted in the article, if you use your email userid and/or password in other places you are in deeper trouble than if you use unique one for all places. Of course we all know that and hopefully follow that. So maybe changing your email password is prudent, I don't think I can change my userid as it is my email address.
http://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-email-accounts/
Click to expand...


The issue with email is that many sites allow a password change with a simple email message. If they have your email they can change your password.
 
On that Krebs article - READ THE COMMENTS!

There is more going on than meets the eye. Layers of "spin" it seems.

But I have noticed an uptick in email spam using names of people I know, even though this "announcement" is really talking about data accumulated over years.
 
veremchuka said:
... As noted in the article, if you use your email userid and/or password in other places you are in deeper trouble than if you use unique one for all places. .
Click to expand...

Hopefully this hacker incident is a wake up call for sites to stop using the email as a user id.

I like how some bank and credit card sites allow the changing of the userid. That came in very handy when my computer encountered a keylogger a few years back.
 
easysurfer said:
Hopefully this hacker incident is a wake up call for sites to stop using the email as a user id.
...
Click to expand...
Not sure this is really a problem. I suppose they could spoof the hacked site and send to my email, but I wouldn't respond to such spoofs.
 
Я не волнуюсь о некотором российском хакере, врывающемся в любой из моих счетов. Теперь, те Грузины, с другой стороны...
 
M Paquette said:
Я не волнуюсь о некотором российском хакере, врывающемся в любой из моих счетов. Теперь, те Грузины, с другой стороны...
Click to expand...
Another hacker from the land of Putin?

:)
 
M Paquette said:
Я не волнуюсь о некотором российском хакере, врывающемся в любой из моих счетов. Теперь, те Грузины, с другой стороны...
Click to expand...
You mean where they grow the peaches?:LOL:
 
Lsbcal said:
Not sure this is really a problem. I suppose they could spoof the hacked site and send to my email, but I wouldn't respond to such spoofs.
Click to expand...

I'm thinking more like if the bad guys know your email, they go to a place where you have an account and then do a password reset.
 
You must log in or register to reply here.

Latest posts

Back
Top Bottom