Over a Billion Passwords Stolen?

I've been doing way too many media interviews over this weird New York Times story that a Russian criminal gang has stolen over 1.2 billion passwords.

As expected, the hype is pretty high over this. But from the beginning, the story didn't make sense to me. There are obvious details missing: are the passwords in plaintext or encrypted, what sites are they for, how did they end up with a single criminal gang? The Milwaukee company that pushed this story, Hold Security, isn't a company that I had ever heard of before. (I was with Howard Schmidt when I first heard this story. He lives in Wisconsin, and he had never heard of the company before, either.) The New York Times writes that "a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic," but we're not given any details. This felt more like a PR story from the company than anything real.

Yesterday, Forbes wrote that Hold Security is charging people $120 to tell them if they're in the stolen-password database:

"In addition to continuous monitoring, we will also check to see if your company has been a victim of the latest CyberVor breach," says the site's description of the service using its pet name for the most recent breach. "The service starts from as low as 120$/month and comes with a 2-week money back guarantee, unless we provide any data right away."

Shortly after Wall Street Journal reporter Danny Yadron linked to the page on Twitter and asked questions about it, the firm replaced the description of the service with a "coming soon" message.

Holden says by email that the service will actually be $10/month and $120/year. "We are charging this symbolical fee to recover our expense to verify the domain or website ownership," he says by email. "While we do not anticipate any fraud, we need to be cognizant of its potential. The other thing to consider, the cost that our company must undertake to proactively reach out to a company to identify the right individual(s) to inform of a breach, prove to them that we are the 'good guys'. Believe it or not, it is a hard and often thankless task."

This story is getting squirrelier and squirrelier. Yes, security companies love to hype the threat to sell their products and services. But this goes further: single-handedly trying to create a panic, and then profiting off that panic.

I don't know how much of this story is true, but what I was saying to reporters over the past two days is that it's evidence of how secure the Internet actually is. We're not seeing massive fraud or theft. We're not seeing massive account hijacking. A gang of Russian hackers has 1.2 billion passwords -- they've probably had most of them for a year or more -- and everything is still working normally. This sort of thing is pretty much universally true. You probably have a credit card in your wallet right now whose number has been stolen. There are zero-day vulnerabilities being discovered right now that can be used to hack your computer. Security is terrible everywhere, and it it's all okay. This is a weird paradox that we're used to by now.

Oh, and if you want to change your passwords, here's my advice.

EDITED TO ADD (8/7): Brian Krebs vouches for Hold Security. On the other hand, it had no web presence until this story hit. Despite Krebs, I'm skeptical.

EDITED TO ADD (8/7): Here's an article about Hold Security from February with suspiciously similar numbers.

EDITED TO ADD (8/9): Another skeptical take.

Posted on August 7, 2014 at 7:45 AM • 57 Comments


The Last Stand of FrejAugust 7, 2014 8:13 AM

I'm in Wisconsin, too. I work in the infosec industry and have never heard of these guys either.

UjjawalAugust 7, 2014 8:18 AM

You might be right but if you are wrong? the implications of this could be huge.. even though this might be just a PR trick, the question is what is its not. the main source of information which is mssing is what website it belongs to? obviously i dont case if this belongs to some website i logged in only once and that to because i was forced to .. but yes its certainly clear that it does not below to any big company as we have not had any breach report from any of these company.

Loyal CitizenAugust 7, 2014 8:37 AM

Brian Krebs has vouched for the authenticity of the data-- curiouser and curiouser.

brianAugust 7, 2014 8:43 AM

FYI: Brian Krebs is on the Advisory Board for Hold Security. So, I'm not sure how valuable it is, that he "vouches" for them. Krebs is good, but this whole thing is lame!

The Last Stand of FrejAugust 7, 2014 8:44 AM

But a guy from Sophos is also skeptical of Hold Security:

"The only way we can know if this is a big deal is if we know what the information is and where it came from," said Chester Wisniewski, a senior security advisor at Sophos. "But I can't answer that because the people who disclosed this decided they want to make money off of this. There's no way for others to verify."


MajorAugust 7, 2014 8:52 AM

Check out holdsecurity.com on the wayback machine (archive.org)

It shows the first instance of the URL in June of 2013 - but check any page link before yesterday (Aug 6).... there are no pages displayed at all.

So for over a year, the URL was valid and took you to a blank white page. Until the story hit.

anonAugust 7, 2014 9:21 AM

$ whois holdsecurity.com | grep Creation
Creation Date: 19-feb-2013
Creation Date: 2013-02-19 17:59:06

$ curl --silent "https://www.facebook.com/pages/Hold-Security/673840519359027?sk=info" | grep Joined | awk -F\ th class="label">Joined Facebook /th> td class="data">07/01/2014

"Hold Security" is a F'ing joke, and they can go die in a fire.

EdwardAugust 7, 2014 9:22 AM

Thanks for your perspective, Bruce. Notwithstanding implicit and indirect validation by Krebs, I haven't seen anything else to make this any more believable now that I've read your synthesis.

Here's my question: What national institution is (or should be) empowered and expected to offer a meaningful alert to consumers and businesses in circumstances like this? CERT is too obscure quasi-private, the FCC does not really have any jurisdiction over the Internet, nor does the United States Postal Service.

BerndAugust 7, 2014 9:36 AM

At next year's Black Hat, there will be a talk from a company called Release Security, introducing a $60/month service to warn you about stolen-password scams ...

Clive RobinsonAugust 7, 2014 9:49 AM

@ Major,

So for over a year, the URL was valid and took you to a blank white page. Until the story hit.

You forgot to add "untill just before Blackhat"...

Anyone checked to see if Hold Security or Mr Holden are there?

I am not overly worried about the 1.2Billion it's just a number like any other, and like the --supposed-- number of Facebook users realy only of use if you are selling something, and thus is almost guaranteed to have double counting etc in it... So the number is at best a biased estimate.

Then there is the issue of "validity", that is these passwords would have been gathered over time, people change their passwords as often as 13 times a year due to company policy etc, so how many of these passwords are still valid...

So I'm going to find a nice comfy spot on the fence, and sit there a while over this announcement.

Gerard van VoorenAugust 7, 2014 9:56 AM

I don't know how much of this story is true, but what I was saying to reporters over the past two days is that it's evidence of how secure the Internet actually is. We're not seeing massive fraud or theft. We're not seeing massive account hijacking. A gang of Russian hackers has 1.2 billion passwords -- they've probably had most of them for a year or more -- and everything is still working normally. This sort of thing is pretty much universally true. You probably have a credit card in your wallet right now whose number has been stolen. There are zero-vulnerabilities being discovered right now that can be used to hack your computer. Security is terrible everywhere, and it it's all okay. This is a weird paradox that we're used to by now.

There is a contradiction in that text (or I read it wrong). First there is the saying that the internet is rather safe. Then there is the saying that security is terrible everywhere.

On / offtopic:

Although everyone with enough means steals whatever they can, that data isn't being harmfully misused on a massive scale. Personally I consider that "Google-safe". They (whoever that is) have all the data, but only use it to get rich, preferably legit.

Still I wonder how much more theft we are willing to accept. I think it helps if the passwords of Obama or Merkel are on that list.

Maybe it is time to just skip HTTP/2.0 and go directly to HTTP/3.0 [1], use seL4 like microkernels, safe programming languages, update the USB spec und so weiter. I just don't see it happen.

[1] http://lists.w3.org/Archives/Public/ietf-http-wg/2014AprJun/1539.html

DaveAugust 7, 2014 10:47 AM

A quick Google news search from 1/1/2010 to 7/1/2014 doesn't turns up one link--to the Hold Security site (https://www.google.com/search?q=hold+security&biw=1707&bih=1017&source=lnt&tbs=cdr%3A1%2Ccd_min%3A2010%2Ccd_max%3A7%2F1%2F2014&tbm=nws).

They claim and imply (http://www.holdsecurity.com/news/) important roles in discovery or involvement in breach investigations, but they aren't mentioned anywhere that I've found. Even a secondary player typically gets an honorable mention from the leading group(s) most of the time.

The website appears out of nowhere?

Sorry. Not sounding very legit to me either. I'm more inclined to think this is an experiment that Krebs might be involved in to gauge reaction or something.

MartinWAugust 7, 2014 10:51 AM

The only take away for me is, security expertise is as squirrelly as the media. Everyone's a freakin' expert...until they aren't.

Pretty FlyAugust 7, 2014 10:54 AM

I hope i'm not offending anybody, but this is a clear demo of disconnect between western and eastern infosec scenes. Anybody following the Ukraine/Russia scene for any length of time would recognize Alex and his work, would recognize what this database is, how it was acquired, what type of sites and accounts were likely broken into (and why the 40,000 number sounds right - it isn't 40,000 exploits, it is a handful of exploits applied 40,000 times) and what those accounts are used for.

These groups are divided horizontally by responsibility with one task to each person, and the 'groups' are loose affiliation. Alex would have had to work his way in by providing a service, which would have taken time and resources.

Hold Security is explained, I believe, by him bringing what he knows from places where interesting things happen (to the point where experts are struggling to explain it) to a market that has money to pay for that info. Not many people who can serve as that bridge, so there is definitely value there as a service.

I wouldn't pay for the service because I believe I have a pretty good idea of what the data is, but it is definitely wrong to dismiss both the story and the person involved. My first reaction was that he blew his cover too soon, as there is definitely more interesting work out there than the webspam groups picking up pennies - but he might have been right with his timing since this is getting so much attention.

MartinWAugust 7, 2014 10:55 AM

OK Dave, post your email address so I can send you a list if 120,000 US company names. I need you to tell me which ones are legit because you've heard of them before (or, spent 30 seconds Googl'ing the name), and which ones are NOT because you've never heard of them before.

Stephen ThomasAugust 7, 2014 11:18 AM

I'm skeptical as well, but, to be fair, I think the commercial service ($120 or $10 or whatever) is supposed to let web sites check to see if their users are in the dump. It's not for individual users to check if their personal credentials are. (At least, that's how I read the announcement.)

Spaceman SpiffAugust 7, 2014 11:35 AM

This sounds like an advanced phishing scam to me. I wouldn't trust them with my zip code, let alone my AMEX #...

jggimiAugust 7, 2014 11:42 AM

Hoovers.com knows of a Hold Security located in Kecskemet, Hungary. There's also a Hold Security Servicos Sc Ltda located in São Paulo.

The two firms offer bodyguards and photocopying, respectively.

What's the overused quote used on reddit.com that could be applicable here? Oh, yeah: "Hold Security? Seems Legit."

AnonyAugust 7, 2014 11:55 AM

If I use a random number generator to create a billion user-names and passwords, and put them on a rented web-server with known security vulnerabilities, and watch the network from a second hardened box with tcpdump in promiscuous mode to see when and who steals the list, can I charge everyone $120/year too? There's this island I've had my eye on in the south pacific...

Unnamed Milwaukee Infosec GuyAugust 7, 2014 2:26 PM

If you think Hold Security manufactured data to get rich quick, then you must also think Kaspersky creates and releases viruses. Additionally, these days tech companies DO start and become "legit" literally overnight. Yes, even security companies.

The comments made by "Pretty Fly" (one of the few who aren't "mee too" commenters) are on the right track so reread them if you just skimmed. Speaking of which, Alex's biggest mistake IMHO was putting his name, photo, and bio on his website--with no other "employees" listed--too soon: it not only contributes to delegitimizing his "company" but may also have contributed to blowing his cover, as Pretty Fly put it; however, if he used good HUMINT and OPSEC techniques it's entirely possible his underground/black market identity can't or won't be linked to his real one.

This is a situation so common and simple there are probably several readers--if not commenters--who've done it themselves. Alex has a skill that can be used internally, working for "the man," or externally, working for himself. Most of us like the idea of working for ourselves, and most of us think we can do XYZ better than others and deserve to be paid more than we're making for it, but only some of us actually take the financial and reputational risks to hang out a shingle and try to earn a living that way.

Alex decided to do just that--including risking his reputation--by incorporating as a "consulting firm" which, as anyone who's started or hired a small one knows, very often begins life as one or two people with one big client they "stole" from their former employer, or one "cash cow" product/service. His skill has two parts: 1) being computer savvy, particularly in computer security; and 2) being literate in Ukrainian and/or Russian. It doesn't take a genius to realize that's a rare and potentially lucrative combination right now. So his hopeful cash cow is obtaining and providing threat intelligence for a fee.

Hold (part of Alex's surname in case it slipped by you) Security is simply Alex as sole proprietor/trader with the liability protection the LLC affords him. Every company in existence can trace its roots to starting out as one or two people.

I've lived and worked around Milwaukee for almost 10 years and I think I'm within a few years of Alex in age but I've never heard of him (or his young company), so I don't know him and can't vouch for him. But I am, like many of you, familiar with dealing with "companies" that are virtually unknown and really only consist of one or two people, yet clearly have the expertise to get the job done.

Alex/Hold may be unknown to the infosec cognoscenti and trying to make a sudden splash, but that doesn't mean we should summarily dismiss the intel. We also shouldn't dismiss it just because it came from an "unlikely" source. Furthermore, we shouldn't be quick to demand the data because it could reveal him or his methods which may not only hurt him but anyone else who's developing or monitoring the same assets. And besides, those who aren't Russian literate couldn't make sense of the raw data that led to his conclusion anyway.

Sancho_PAugust 7, 2014 3:36 PM

OK, I understand:
“Der böze Russe” (=Putin) is not, but **could be** behind the crime, and thanks to an Ukrainian security expert we now learned about. The Blackhat is a bad coincidence, obviously, as is the shelling of Donetsk (no, only the town, not the own people there, so peace can be restored within days, and they will live happily ever after).

So they’ve collected (mind it: The same wording as with the NSA, it is collection, not theft = crime) 1.2 billion unique “credentials”. Now the NYT - article (or Mr. Holden?) boiled them down to 542 unique email addresses because we “tend to use multiple emails” (oh yes, we use 2+ credentials per email account) and then mix that together with “most of this sites are still vulnerable”. Here I stopped reading the NYT article (sorry, Mr. Holden).

Mr. Krebs wrote they’d do it for “Spam, spam and….oh, spam.”.

Exactly this takes me back to Bruce’s “contradiction”: I think he is absolutely right.
The Internet is terribly (in)secure.
Some even make a living out of that fact (he he he).

You want to spam from my free email accounts? Go ahead, it doesn’t hurt me, probably my providers. However, I’d like to know the return for that effort. Advertising is a serious business, you have to know your target, otherwise it’s wasting time.

You want access to my bank account? OK, but mind you, transactions need more than my credentials.
You want access to my server? Sorry, collected “credentials” are not enough to get VPN access to my company.

- I know it’s not that easy, but the real problems in the Internet do not rely on username and pwd.

Our governments are sleeping behind the wheel. And their well funded NSAgencies search and monitor the Internet, happy about each spam email because it will increase their budget.
Anyway, it seems “collecting intelligence” is not a crime.

BTW nothing to say against a one man show, on the contrary.
But as a business model I’d suggest to deliver first (**at point**, e.g. to a TLA) to make broad reputation, and cash afterwards with the service.

Nick PAugust 7, 2014 3:57 PM

@ 0652

Thanks for the link. As usual, Krebs has the goods when it comes to underground intelligence.

AnuraAugust 7, 2014 4:54 PM

@Nick P

Shortening 0652ad81da6c241b03ff618cd635563084dba4caaca911b45c638d7bdb91f0cb to 0652 is the equivalent of shortening Nick P to Ni, and "Ni" gets annoying fast. The correct short version of their name is "FIv2g886eVEB4oiybtyn9Q==".

qAugust 7, 2014 5:06 PM

To me it seems legit, but the researcher has totally botched the PR aspect of going public. Not a rare occasion with "technical people". I hope he can still salvage the situation.

Who BenefitsAugust 7, 2014 6:04 PM

This story may be a disinformation operation designed to cancel news surrounding Snowden's residency extension in Russia.

It neatly steals focus from Snowden while smearing all things generally connected with Russia, hackers, and infosec professionals.

Manfred BraunAugust 7, 2014 6:44 PM

Hi !

Suspect from other perspectives too ....
Currently, russions are evil, like these
russian hacker show too ....
Just another evidence ...

Sh4d0vvAugust 7, 2014 8:11 PM

Hold Security "...had no web presence until this story hit. (...) I'm skeptical."

What you think, is what's correct. Either Hold Security is on it or Hold Security IS on it.

brianAugust 8, 2014 1:51 AM

The first question that came to mind was, how is Hold so confident about the number (even if an estimate) of credential pairs? I've not seen anything remotely close to an explanation as to how they came to that number.

And then the $120 pretty much sealed it for me.

WinterAugust 8, 2014 2:56 AM

"“Der böze Russe” (=Putin) is not, but **could be** behind the crime, and thanks to an Ukrainian security expert we now learned about. "

This is a sore point over here in Europe.

The reactions of Mr Putin on shooting down an airplane with 200 of my countrymen (including a family living at the end of my street) showed me that he is indeed "Ein sehr böser Russe".

Dewi MorganAugust 8, 2014 3:48 AM

Here's the thing: go and register with their site, for the free signup for their notification service. Go on, try it.

To find out if your password is legit, they're asking you for your email address *and a bunch of passwords*. Not just one, but all your passwords that you might be worried about. "It's safe to give us your passwords" they are saying, "because we're only taking unsalted HASHES of the passwords. Honest, trust us". (looking at the JS, that indeed seems to be what it's doing, but seriously, what user should be expected to do that? What are they THINKING to ever, *ever* make a form that asks people for their passwords?)

And what does this tell you about their understanding of password security? For me, it says "they are either malicious, or dangerously incompetent."

They have *absolutely no need* for your password, hashed or otherwise.

There are two purposes that I can see, that they might *think* they have:
1) to run a dictionary attack against your hash, and hack you;
2) to compare to a list of unsalted hashes of the cracked passwords.

[Note that technically, the two cases are different only in the dictionary used: the first is a Really Big Dict, and the second only has a billion or so words that happen to be known passwords].

But the second case makes no sense. Unless their database of passwords comes with an email address of the account holder, how can they verify that the victim who's password matches yours, is indeed you? But if the passwords DO each come with an email address, then that's all they need. They need *no other information* to tell you if you have been targeted. They certainly don't need your password to confirm it.

Since the second case makes no sense, then this must be the first case. My bet: some kind of performance art. Krebs is only vouching for them because he's in on the joke.

LeeAugust 8, 2014 4:15 AM

Indeed I've been racking my brains as Alex Holden was a name I'm familiar with and it all comes back round to Krebs. Given Holden's background, I would say he's a resource Krebs uses when researching - native Russian/Ukrainian is most likely very helpful when going into the underground to get information.

Maybe he's a Blackhat making the journey to Whitehat?

But what I know is hardly any "users" are going to bother subscribing to his service. They're the same users who use the same password (and email address) on all sites - and don't use complex passwords, password managers or 2FA if available.

And no matter how much noise his marketing drive makes, that isn't going to change.

Bart FriederichsAugust 8, 2014 6:43 AM

It all smells fake. I did a image search on the photo on the "About" section on the site and found it a stock photo.

Even if the company is real, it doesn't show enough trust to do any business with then.

Pretty FlyAugust 8, 2014 9:18 AM

> Maybe he's a Blackhat making the journey to Whitehat?

Ding, ding, ding! We have a winner.

AlexAugust 8, 2014 12:33 PM

Today is far more likely that your passwords being stolen with a keylogger / backdoor code / common program vulnerability then being cracked with a password cracker.

AlexAugust 8, 2014 12:46 PM

...its kinda funny, it's a mad world, nobody gives a thing about privacy anymore and some people are concerned that their passwords are too weak...

Any program you install wants access to everything, any developer consider entitled to steal everything on your computer once NSA did this, even more, known program have obvious stealing privacy code inside, revealed to public, and nobody cares.
Your every email or conversation is parsed and stored, anyone has tens of programs they don't know nothing about on computer or phones... Almost everything on your computer, router, controllers, memory sticks, CPU etc may be backdoor-ed to record your keystrokes, hackers or agencies get terabytes of passwords or your full harddisk content...

...and you still think a strong password really helps?

You are in another age, my friends. It would be far more useful to describe how to enter a password with a virtual keyboard, or how to make separate security levels accounts...

AlexAugust 8, 2014 12:52 PM

...or how to safely delete the sh*t you encrypted with your very strong password, so it wont be recovered from your hard disk, remotely without you ever thinking about it.
(see that the last interesting "data" may be already stored in a queue, somewhere, even if you safely delete it)

Bob August 8, 2014 2:06 PM

Are we to believe password security is totally useless now?

And so, what to do, what to do?

I know....thumb print scanners, iris scanners, dna analyzers, body odor scanners. All great stuff which once digitized can be stored forever. End users (targets) can never change or escape from their identity. An additional benefit is there is no legal protection for body odor, etc. as 'they' can get a warrant and take it without the users consent.

I smell a rat.

Sancho_PAugust 8, 2014 2:13 PM


That’s my point: Whatever access only has user + pwd is not really (worth to be) protected.
I do hope organizations know about.

But when it comes to certificates and CA: This is a disaster, and I guess there is more.

Sancho_PAugust 8, 2014 2:22 PM

@Winter (2:56am):

“The reactions of Mr Putin on shooting down an airplane with 200 of my countrymen (including a family living at the end of my street) showed me that he is indeed "Ein sehr böser Russe".“ (emphasis added)

No offense, but I’m afraid THIS is the sore point:
We hear about hundreds violently dying per day, by earthquake, landslide, catastrophic accidents, clashes, war.
We don’t bother because: Too far away. We even don’t stop having our coffee / tea.

But if our countrymen are involved … OMG!
Is it called nationalistic or even nazionalistic (race)? (Thanks you have mentioned your neighbors, so it is more understandable.)

However, we tend to blame someone, personally if possible, for pulling the trigger, and to punish them even without a fair trial, likely without evidence. Just to cool down.

This is called revenge. It happens all over the world, let it be “uncivilized” or “civilized” areas.
For a starter see this appalling “victory celebration” (like “Thanks, NOW we got them”):

Until then it was part of our social security NOT to press the red button [1], but time runs out, they (our elite) now found new strategies to escalate the situation.

[1] I was attempted to write “for minor issues”, but a plane full of innocents is not minor, regardless of nationality / race. I cry for all, humans, animals, plants.

Chet UberAugust 8, 2014 10:42 PM


I don't buy that 420,000 system user accounts were compromised as we all know the best you are going to get is salted passwords which are for most attacks not useful and would require one hell of a password cracking set up to even dent that number.


I do have some explanations.

1. And this is my favorite one. Some CMS systems literally encrypt all the passwords with the same password with a MD5 hash.
2. CMS systems that do not use a salted encryption method but just hash the passwords and limit the number of characters to 8. Rainbow Table and other methods would rapidly yield all the passwords.
3. CMS doesn't encrypt passwords and if you don't think this exists you have never asked for a password reset and instead of a link you get your password back in plain text email.

I don't buy that either Windows or UNIX-like system shell accounts from 420,000 systems would happen or that on anything new would limit passwords in a way to make cracking them trivial.

If it happened it was a CMS hit. IMHO.


BenjiAugust 10, 2014 11:28 PM

I know that the company has been around for a few months.

I remember going to a website of theirs in the past (5-6 months ago).

Do not remember if the URL was holdsecuirty.com or not.

However, I do remember that the page had the same exact logo!

The website had a blue background and very little information about the company, mostly a mission statement and covering that they were a security company located in Wisconsin.

Geert WellingAugust 12, 2014 3:20 AM

Hello babies,

What is it, and I wonder, what makes you people running down on results as if they were problems?

I know some hackers say they urge for digging out situation, yes though it is to solve problems through interpreting failures.

What problem is solved here? How is this failure interpreted?

This kind of digging is like getting your core dumped and instead of looking into it continously dance around the message about your core being dumped.

I would not consider that hacking. So again, what is it making such fools out of yourselves?

Results from revenue assurance, what do you want hacker, proof yourself a noob and mock about results or finally address problems such as security through obscurity?

Results from revenue assurance, just as most of our security troubles and so on and so forth.

When do fricking hackers finally get to this?

Oh I'll explain. Before you start mocking grammar or whatever kind of b/s.

Capitalism is quality assurance through competition/concurrence.

This is revenue assurance. As any market is about problems and solutions, ours as well. Though quality based growth factors are rather based around real problems, quantity based growth factors (revenue assurance) is based around created problems in order to maintain and create predictability demanded and needed by such a system.

this problem about his marketing stunt ad what not are direct results from revenue assurance we enjoy nowadays. Wouldn't even be possible (collectively) without it.

Are you stupid?

Geert WellingAugust 12, 2014 3:34 AM

Oh and don't mock that I refer to capitalism via such a posting, it is quite connected.

Don't mock about me asking a question as if it is a statement (it isn't, its a question, look at the fricking reading sign - that thing about stupid).

What am I doing, I'm raising awareness, since most of you peeps apparently seem to enjoy running circles. Maybe the logical dizzy result is helping us achieve such stupidity as humans. Hypothetically said.

Besides, you are NEVER stupid. You are a human. Humans are proven to be different and combining differences have proven our ability to be succesful.

Such things prove our status not to be a real one, increasingly, nowadays. Real status doesn't need acknowledgement. Would we still live the term to its real definition, I as well as any other would be corrected stating anybody IS stupid.

Sometimes you, me and everybody ACTS stupid. It is a collective symptom, so it is impossible to accuse anybody of it. Without this acting stupid, there is no smart, no solutions.

If you understand discussion, you understand for any one good idea, nine are thrown away. If those nine may not be discussed, you closed the door for one good solution.

When, when, do fricking hackers adress this HUGE problem. Causing alot we mock about, as RESULTS.

newBusinessModelAugust 12, 2014 3:54 AM

Is it cyber crime to HOAX something, send around enough FUD and then offer a payment service, which resolves.... nothing ?

Everybody knows that if you find proof about someone/some organisation anywhere in the world and you inform you own government, other mechanisms will start to work.

There is no country on Earth that wouldn't be willing to exploit the media worldwide in showing "how good and fast" they are in arresting large scale cyber crime criminals.

And that is oke, as long bad people are getting behind bars.

But this new "business model" looks like a new form of racketeering.

Maybe I should setup a website, send out a press release "Everything is hack-able and/or hacked and/or sensitive for social engineering". Please pay $ 10.000 to find out if you are victim (or not yet :-))..

newBusinessModelAugust 12, 2014 4:12 AM

@Unnamed Milwaukee Infosec Guy • August 7, 2014 2:26 PM

How often did you have "Stumble upon" data, of this nature by mistake?
Don't you think that finding this kind of data they would at least have to follow an unethical path?

If someone/group has this kind and amount of data, they will not be bragging about it on some IRC channel and be sharing it.

So if they actually HAVE the data, then the FBI should investigate what THEY have done to obtain it.

Second of all, they would be more respected IF they first informed the FBI and all parties and give them time to inform their users and then published about it.

And from a technical point of few, how many password files, from how many sources do you need to come to this amount? And where they hashed or plain text (cracking time...).

At the end if this story is (even) partly true, it is not about the passwords, it is about many websites on the Internet that leak password files.

And with a zero day for a vbulletin, joomla, wordpress any script kiddie would be able to make a scripts that harvest password files for him.

Security is an ongoing process, not a goal.

Geert WellingAugust 12, 2014 6:27 AM


awww, thanks and awww, it hurts my eye.

it's NOT a NEW business model, its an ever advancing old one. Revenue assurance. which you can recognize by p.e. marketing creating need primarily rather than indexing our need in order to enhance their putting of products, services, combinations.

Our world consists of humans. Humans are always evolving, developing, advancing (one CAN advance negatively).

Our market, or markets as in economy, or economies as in world DOES in fact solely consists of problems and solutions.

This OLD business model is one that creates and maintaines/advances profit as cause instead of result. Where more profit is cause than result, a market (or all else that I've put above including WORLD) becomes about created problems rather than real ones. Thus revenue assuring cashflow creation, predictability and thus exploitation of insecurity.

What the frickin heck you peeps think all the fuzz is about? Maby the exploitation of insecurity OR, as in, consuming patterns entering lengths to us consuming ourselves and our fellow beings.

Besides, one that wants to consume solutions, wants dictatorship.

Besides, the NSA did his job, more than anybody else, including civilians. With all the pointing to the NSA lately, ALL HACKERS NEED TO KNOW;


How can hackers, ever, EVER, have allowed any one to point at NSA?

Since when is NSA primary coretask our privacy? It IS NOT. It NEVER was. For THAT reason politics have more direct and short checkup lines to intelligence services in any trias politica based state! Politics should have provided lines about our privacy within this ever advancing world so ever changing political landscape. People, and ESPECIALLY HACKERS (which only harass me instead of even asking questions, mocking about what happened to Aaron Schwarz, doing exactly the same to me, more than my OWN police and intel services, IM NOT KIDDING YOU), should have checked up their politics.

And we still can.

Like you bring up your kids. You don't just bring up your kids when its going wrong, you bring them up constantly until they become adult. So it is with politics, you don't just checkup when its going wrong, you do that constantly. IT HAS NOTHING TO DO WITH B/S ABOUT WHETHER OR NOT YOU'RE PART OF THE PROBLEM OR NOT, YOUR FUTURE IS PART OF YOU AND YOUR KIDS, IT HAS TO DO WITH THAT.

It has nothing to do with who is to blaim. Or what is to claim.

Dipshits. Thats urge to consume solutions rather than allow the disadvantage (as it is considered by pretty dumb people) to allow your voice be heard within. So soliciting for dictatorship. Don't tell me its difficult to explain, a billion books written about it, most of our laws, statistics, oh please.

It is an OLD business model.

Like this bullshit that DSM guy very nicely (intended) puts up, People, Planet, Profit, where profit is still cause, so revenue assurance even more established. It doesn't change a SILLY thing!

I want to see hackers that hack, there's nothing new to be found out here, its all found out already. I want to see hackers that can deal with the crap we've found out. Instead of playing fancy bullshit crap over the back of our kids prospectus. Thanks already, in advance!

And stop pointing. People that point don't learn, don't ask questions and certainly not suffer enough problems to really be willing for solutions.

Like with hacking, ASK FRICKING QUESTIONS.

A scientist is nothing more than a question addict and hopes for answer shot.

These nowadays scientists just repeating at very high levels, mostly dont even know what they repeat. Yelling 'knowledge is power' meanwhile.


I'll tell you what it is around that knowledge is power thing;

In order to gain knowledge, people first need the will and the effort to turn data into information into knowledge THEMSELVES. Practically no university in our 'first' world still uses this concept. From that knowledge, responsibility WILL popup before POWER. If not, you're either dealing with a psychopath, a unintelligent autist or it is NOT the resemblance of knowledge but rather the disguise of lack of.

thanks again. And you too, Bruce.

BastiaanOctober 14, 2014 2:30 AM

The Dutch Cyber Security Agency bought all the websites and email addresses ending with .nl from Hold Security. I delivered these addresses to the ISP, asking to inform their customers that their email-addresses and websites have been hacked.

For me it looks like the list contains only addresses that are crawled from the web. The only address from me that is on the list is an address that is searchable on the web. There are no email addresses from me on the list that I use for any account.

So it seems like a big hoax. But the Cyber Security Agency is using the hoax to stress the importance of good account/password protection.

..and Hold Security earn some money from selling crawled email addresses.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.