Earlier this week, the New York Times had security experts in a tizzy over a report from Hold Security that a Russian cyber-crime unit has accessed 1.2 billion user credentials. Some subsequent reports have questioned the veracity of the findings but acclaimed cyber-security expert Brian Krebs has now joined the conversation.
In a Q&A on his site, Krebs says that he has seen some of the data from the research from Alex Holden, founder of Hold Security, who has not disclosed the some 400,000 sites in question. “I have seen his research and data firsthand and can say it’s definitely for real,” says Krebs.
“Without spilling his secrets or methods, it is clear that he has a first-hand view on the day-to-day activities of some very active organized cybercrime networks and actors.”
Krebs goes on to explain that the primary reason for acquiring this much data is spam as many users as possible through email. “It is quite common for major spammers to rely on lists of billions of email addresses for distributing their malware and whatever junk products they are getting paid to promote,” he says.
If you have a habit of reusing passwords or are just a casual Internet user then you should be concerned for your data, says Krebs.
“If you re-use your email password at another site and that other site gets hacked, there is an excellent chance that cyber crooks are plundering your inbox and using it to spam your friends and family to spread malware and to perpetuate the cybercrime food chain.”
The reports from Hold Security have been criticized heavily since they were published. Many have questioned the firm’s refusal to disclose the names of the sites harmed yet will offer a $120 service fee if you would like to check if your site has been affected.
Hold insists that it has not revealed the names of the sites due to non-disclosure agreements and that some sites remain vulnerable so announcing it to the world puts them in harm’s way.
Updated 19:20 CET:
As one of our readers Chris commented below, Brian Krebs sits on the advisory board of Hold Security. He is listed as so on their site.