Hold Security of Milwaukee, Wisconsin which broke the story on how a Russian gang is sitting on top of over one billion stolen usernames and passwords has come up with what seems to be a iron clad get-rich-quick scheme.
The ‘large hearted’ company has said it wants to help users, but… there is always a but.. there is no such thing as a free lunch. After discovering the breach and scoring a high-profile story on New York Times, the security firm is now demanding a fee from users who want to know if they are affected. This means users will have to shell out $120 simply to know if they are a victim.
A report by Grahamcluley also adds how the breaking news was ‘perfectly timely’ with the security conferences going on in Las Vegas right now. “There was an alarming lack of information supplied by Hold Security in its official statement about the discovery and something just didn’t feel right,” adds the report.
A look at the official statement from the security firm clearly states that ‘it could not name sites that had been breached because of non-disclosure agreements.’ However, it now seems that Holds Security is using all the data it received to make a lot of money. For $120/year with a two-week money back guarantees, it now promises to alert you if your site is affected by the data breach.
“It’s certainly in the interest of any security firm to portray the state of cybersecurity as dire to make their wares more appealing, and that’s something any reader should keep in mind when reading quotes from a security professional. But this is a pretty direct link between a panic and a pay-out for a security firm,” reports Forbes.
Hold Security wants users to sign up with “Consumer Hold Identity Protection Service” (CHIPS) that is a subscription service. And yes, if you sign up right away you’ll be getting 30 days protection for free. You need to provide your email address to Holds Security and it will prove you with encrypted versions of your password and let you know which password has been compromised.
However, the report further calls its approach quite ‘idiotic’. ”What if the computer the user is typing on has keylogging malware in the background – isn’t it going to be trivial for malicious hackers to scoop up the victim’s most sensitive passwords as they are entered on this web form? Or what about the possibility of bad guys creating phoney versions of this webpage, specifically with the intention of nabbing users’ passwords,” the report adds.
While we can’t do anything about a website being hacked, it is important that we keep changing the password and avoid common and easy to crack passwords.