Russian CyberVor attacked databases of websites but hold on...
Security researchers say a Russian crime ring has pulled off the largest known theft of confidential Internet information, including 1.2 billion username and password combinations and more than 500 million email addresses.
The cyber gang injected malicious code to steal databases from at least 420,000 websites, says Alex Holden, founder and chief information security officer for Hold Security in Milwaukee, Wisc.
but note what Forbes says:
Panic time, right? You can’t even change your passwords to protect yourself because you don’t know which websites are affected or if they’re still vulnerable. This is the worst kind of news, spare on details and causing a panic without offering a solution. Oh wait, but there is a solution! You can pay “as low as $120″ to Hold Security monthly to find out if your site is affected by the breach. Hold Security put a page up on its site about its new breach notification service around the same time the New York Times story went up.
It’s certainly in the interest of any security firm to to portray the state of cybersecurity as dire to make their wares more appealing, and that’s something any reader should keep in mind when reading quotes from a security professional. But this is a pretty direct link between a panic and a pay-out for a security firm. Yes, I expect security firms to make money for making the Internet more secure, but I am skeptical of a firm with a financial incentive in creating a panic to be the main source for a story that causes a panic. If nothing else, it should be disclosed in the New York Times story that the firm that reported a major breach hoped to directly profit from it. We don’t just need hashed passwords salted, we need grains of salt in our reporting around security.