Story 2014-08-12

Is Hold Security on the level?

by
in ask on (#3TM)
Hold Security: the security company responsible for the disclosure that some Russian hackers have collected 1.2 billion email/password combinations. When the news came out, Hold Security promised to check their database on an individual level rather than just publishing the passwords. They posted a form by which one could enter a name and email address, and told visitors to wait to hear from them.

Days later, emails were sent out that looked something like this:
Dear <Name you entered>,

This is a message from Hold Security regarding your recent Hold Identity enquiry.

We can confirm that your online credentials have been compromised. However, don't panic just yet. It is possible that the compromised password(s) associated with this email address are not critical, for example, a password might be very old or assigned to you by default by a service provider.

If you would like to know which one of your passwords has been compromised, follow the link to our website and enter your ticket number, which can be found in the subject field of this email. You can submit up to 15 passwords that will be encrypted using a very secure algorithm and sent to us for running a comparison check in our database. Please note that if you try to send us your passwords unencrypted, we will not respond and disregard your enquiry completely.

Once we check our database, we will let you know which, if any, of your (encrypted) passwords have been breached.

Thank you for your interest in our Hold Identity service and taking the time to submit your enquiry.
The email link leads to a form which invites the user to enter up to 15 of their passwords, plus their ticket number, in complete violation of all IT training and quite possibly sanity itself. It may very well be that this is the only way that the database can be logically searched, however. (Though I'm intensely wary of anything that claims to do real encryption via Javascript.)

Yeah, Betteridge's law of headlines would say "No" to this - but Brian Krebs seems to think they're real. Anyone got any experience with these people?