Skip to content

keep-calm-and-do-security-rightThe news this week about a Russian cyber gang amassing 1.2 billion user credentials including emails and passwords has created a bit of a frenzy — in the media, in the security community, and among average users, all of whom are wondering what the heck really happened.

Sadly, the security firm behind the revelations, Hold Security, seems to be milking the publicity for financial gain by offering breach notification services to businesses starting at $120 per year.

Our security experts have been parsing the story, and have poked some holes in it.

As Sophos Senior Security Advisor Chester Wisniewski pointed out in an opinion column published at, a large portion of the email addresses and passwords among the 1.2 billion were likely from previously disclosed data breaches of websites such as eBay, Adobe and Sony.

Many of the passwords associated with those accounts were “hashed,” meaning it would take the crooks a long time to crack them. Plus, some of these hashed passwords are quite old and probably useless to the criminals.

Unfortunately, we just don’t know where this trove of data comes from because Hold Security hasn’t fully disclosed its findings.

“Of course, we don’t know the truth and can’t analyze what is known because Hold Security is trying to figure out how to monetize the knowledge, leaving even the experts a bit in the dark about how serious a discovery this truly is,” Chet writes.

Despite Hold Security’s questionable methods and motivation, the company’s revelations demonstrate just how bad security is at many websites, and how passwords are failing at providing adequate security for online accounts.

In light of all this, we’ve got some security tips for businesses, website owners, and the public at large.

For users

  • Just to be safe, you should change your website passwords (including webmail, social media accounts, etc.). It’s good sense to change your passwords frequently.
  • Always use unique passwords for each website.
  • Use two-factor authentication wherever you can.
  • Check your bank and social media accounts for suspicious behavior.

For website owners

To learn more about how a modern firewall can improve your security posture on multiple levels, listen to our Sophos Techknow podcast: Firewalls Demystified.


1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!