Hold Security continues to deal with the backlash prompted by its recent warning that a Russian cyber gang breached 420,000 web and FTP sites to pilfer more than 1.2 billion credentials.

News of the mega-breach was first reported Aug. 5, when the security vendor said the cyber gang, which it dubbed CyberVor - "vor" is Russian for thief - amassed over 4.5 billion records (see: Security Firm: 1.2 Billion Credentials Hacked). Of those credentials, 1.2 billion appeared to be unique and tied to more than a half-billion e-mail addresses. "The CyberVor breach may be the largest breach identified to this date," Milwaukee-based Hold Security announced on its website.

But that warning prompted critics to ask several questions, including:

Why Hold Security wasn't naming which sites had been breached; Whether it was attempting to profit on the hacks by charging $120 to allow companies to see if attackers possessed their records; Why a breach of this magnitude had gone undetected for so long; Whether the report was just a marketing exercise.

Some information security experts also questioned the firm's free service for consumers, which requires that they share their passwords to see if the attackers compromised them.

Hold Security did not immediately respond to related requests for comment.

FAQ Fields Criticism

Now, however, Hold Security is addressing some of those questions via a CyberVor Breach Frequently Asked Questions page, published Aug. 12. To be clear, the FAQ adds little information about the gang behind the attacks, except to repeat that they used botnets to scan hundreds of thousands of websites for known vulnerabilities. "Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone," the firm says. "The CyberVors used these vulnerabilities to steal data from these sites' databases."

But the FAQ does attempt to set the record straight about the company's $120 breach notification service, albeit with occasional grammatical errors. "The Breach Notification Service are NOT aimed for individual e-mail users," it says. "It is a service to help website owners and other Internet services to be notified if the hackers are attacking or already exploited their systems." The company says the service will require any subscribing sites to verify their identity, as well as pull in data from other breach notification reports and data dumps.

Free Consumer Service

The FAQ also makes clear that the company offers a free check for consumers, to see if their credentials are part of the CyberVor gang's haul. Finding out requires filling in an online registration form. Hold Security says that by October, it also plans to launch a paid "Hold Identity" service, which "will allow individuals to know if their online credentials have been compromised," the FAQ says. "Plus, we will also offer continuous monitoring of your identity online."

For the CyberVor check, to see if their credentials were stolen, people must share their e-mail address. If Hold Security finds a hit with information in its CyberVor database, then it will request passwords that have been used for accounts tied to that address. "We will check up to 15 passwords per e-mail as we understand that many of us reuse the same e-mail address on different websites, such as internet banking [and] social media," it says. The service cannot, however, be used to check e-mails related to government or military domains.

That password request, as noted, has raised some eyebrows, but Hold Security says it's essential for discerning whether attackers only obtained an e-mail address - for example via a newsletter subscription - or hacked into a more sensitive service, such as an online bank. The FAQ also promises that only a one-time hash of the passwords - which get created on the person's PC, and which cannot be reverse-engineered - will be sent to Hold Security.

Little Added Attack Context

Hold Security urges consumers not to panic if there's a hit with their e-mail addresses and passwords. "To the best of our knowledge, the CyberVor breach was associated with spamming activities during most of the time of its existence," the FAQ says. "It only occurred recently that the hackers began using the credentials for other activities." No related evidence, however, has yet been published to back up those claims.