Yesterday, news broke of hackers getting their hands on 1.2 billion web credentials. It had all the makings of a media frenzy. The largest stolen passwords event, possibly, so far. 420,000 sites involved (so "it affects absolutely everybody," the security firm who discovered the breach said). And...it's a Russian gang that has its hands on our email addresses and passwords.
But wait a second. Which sites were involved (so we can change our passwords)? Which emails were breached? Were the stolen passwords encrypted in any way or just in clear-text? Are these dupes of previous massive password hacks?
Sorry, Hold Security firm tells the New York Times. The company is not giving up that information due to nondisclosure agreements with its clients and not wanting to out companies who are still vulnerable.
I don't doubt there's been a massive security breach here and there's reason for concern. But what's the point of announcing it and causing panic at large without giving end users the ability to do something about it?
Other than, maybe, causing a large enough panic to get companies to sign up for Hold Security's $120/year monitoring service? The company posted on its website a new breach notification service, about the same time the NY TImes article went live.
It's since been taken down, after the page was linked on Twitter by WSJ reporter Danny Yadron.
There are good lessons to be reminded of with every password breach. Choose strong passwords. Don't reuse your passwords on multiple sites. Turn on two-factor authentication so even if your password is stolen you are still safe.
But in this case, there's not much to be learned here. It just smells fishy.
Read more of Melanie Pinola’s Tech IT Out blog and follow the latest IT news at ITworld. Follow Melanie on Twitter at @melaniepinola. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.