The Lie Behind 1.2 Billion Stolen Passwords

Or: How Alex Holden Spends Most of the Day Chillaxing on TOR and Lurking Russian Hack Boards

Preface: I’d like to personally thank Rick Romell and Bill Glauber of the Milwaukee-Wisconsin Journal Sentinel for absolutely nailing this story out of the park with regard to localized research on Holden. That the number of credential went from 4 billion, then to 1.2 billion, and then (as per Mother Jones) to ~500 million is absolutely absurd and warranted investigation. Both of you are absolutely awesome.

This will be short and sweet because Alex Holden does not need any further publicity for his actions. You have likely read the accusations that, earlier this week, Alex Holden of Hold Security announced to the NYT that he had discovered Russian hackers had stolen over 4 billion usernames and passwords. After running a duplication check, that narrowed to 1.2 billion and, while not often reported, that list was further whittled down to around 500 million individual users via unique email addresses.

Let’s look at the warning signs right off the bat:

  • Announces 4 billion passwords have been taken across 420,000 websites
  • Makes zero indication on how he learned this or how he obtained the output of 420,000 website’s U/P data
  • Unbiased sources who have met Holden describe him as a generally acceptable individual with an aggressive approach to establishing clients. Chris Roberts, founder of Denver’s One World Labs, said that Holden “[…] has gone off and done his own thing […] he has his way of doing it — very different than mine”
  • Refuses to indicate any of the sites compromised so that users can change their passwords as “there is an ongoing investigation”
  • No law enforcement agencies (local, state, or federal) have corroborated that they are investigating
  • Explains that he knows the names and locations of these hackers but not the group they are affiliated with
  • Offers a for-pay service for individuals and companies to see if their data is being compromised which is odd because that generally doesn’t happen during an investigation
  • Lied about where he went to school and graduated — the 2001 engineering degree from the University of Wisconsin-Milwaukee? That never happened as Holden never graduated.
  • Released information specifically during BlackHat for maximum attention when a very similar story was released in February by Hold Security.
  • Individuals quickly chimed in with similar-but-different ulterior motives: Chase Cunningham and Brian Krebs
  • Lacking a name for the criminal group, Holden simply references them as CyberVor — Vor meaning “thief” in Russian.
  • States that the “group” purchased large numbers of U/P lists; however, makes zero indication where the stolen content ends and the bought content begins.

Just a quick validation of the “didn’t graduate” accusation since that’s a pretty hefty falsehood.
From the MWJS article:

Told that UWM had no record of him earning a degree, Alex Holden said Wednesday, “That is correct. I never finished. I attended but I never finished.”

In an interview Tuesday evening, however, Holden had said he graduated from the school in 2001 with a degree in mechanical engineering.

His LinkedIn page, under “Education,” says “University of Wisconsin-Milwaukee, BS, Mechanical Engineering, 1993-2001.”

Regardless, let’s move on to the individuals that joined in on this.

Via CBS:

Chase Cunningham, lead threat intelligence agent for cloud security company Firehost, spent years tracking Russian crime syndicates with the FBI and the NSA. At Black Hat on Wednesday, he said Hold Security has “uncovered one of the largest caches of data ever seen.”

In no circumstance is it stated that Chase has actually seen the data in question; however, over the iterations of his career with the DOD, Neu*, and now an employee at Firehost who apparently doesn’t even get his picture on the staff page — he would like to chime in. This is becoming a grab for attention by security experts who want to take every opportunity to get into the public spotlight before Blackhat winds down later today. From his bio on CyberUnited:

Mr. Cunningham researched, developed and designed a new cognitive intelligence model focused on accurately forecasting human behavioral activities and likely clandestine human tactics within protected networks to counter malicious insiders.

Additionally, don’t get the impression that Chase was a speaker at BlackHat: he just happened to be there and is not on the speaker list and was seemingly wandering around looking for a reporter to speak to; however, it wasn’t likely this random considering that Chase has extensive experience with social engineering and a skill we will reference as “the ability to know who the right person is, what they look like, and where they are currently located”. On a bright note, FireHost can now add the AP logo to their newsroom masthead.

Let’s go back to a previous individual who I feel deserves a little recognition: Brian Krebs.
Brian is a somewhat well-known security enthusiast that also puts words on an Internet blog about his thoughts on security. Holden’s Hold Security is essentially a go-to for many of his posts regarding Internet security — the reason for this being that Brian Krebs is listed as a “Special Advisor” for Hold Security. Established media outlets generally try to ensure that the individual reporting about something isn’t directly connected to the entity that is being discussed; however, as luck would have it for Krebs, that rule really doesn’t exist on the Internet.

One question that I feel a good number of security-centric individuals not swooned by Alex “The Watchman” Holden, Brian “The Megaphone” Krebs, and Chase “The Avenger” Cunningham’s story of intrigue is:
How does one suddenly wind up with 4 billion U/P entries? Holden /had/ to have those entries on hand if they were, in fact, verified by an “independent security source” (who was left unnamed) used by the New York Times. I would ask how those were verified (“Yup. That’s a database. Yup. Those are usernames. Yup. That’s the format those would be in.“) — but let’s stick with accrual for a moment.

Hold Security’s website, like any other good WordPress-driven security site, likes to toot their own horn for their accomplishments. Let’s look at a few of the headlines and see if we can pick up a pattern:

“Hold Security’s newly announced Deep Web Monitoring Program working with journalist Brian Krebs informed Adobe Systems Incorporated that source code for their flagship products has been found on servers of known hackers responsible for breaches of LexisNexis, Kroll, NW3C, and many other sites.”

“Hackers compromised thousands of FTP sites to plant their malware or to attempt to compromise connected web services. This week Hold Security’s Deep Web Monitoring Service obtained evidence of hackers abusing FTP sites of companies of all sizes across the globe. Hackers planted PHP scripts armed with backdoors (shells) and viruses in multiple directories hoping that these directories map to web servers of the victim companies to gain control of the web services. They also uploaded HTML files with seamless re-directs to malicious sites.”

The same group of cyber criminals responsible for LexisNexis, NW3C, and Adobe breaches also had stolen data that belongs to PR Newswire. Partial website source code and configuration data along with a database of PR Newswire customers was found on the same server where Adobe System’s source code was located […] Update: Hold Security’s Deep Web Monitoring confirms today that PR Newswire was not a random target for the hackers. There is evidence, dated February 13, 2013, of a large-scale attack targeting PR Newswire’s multiple networks hitting over 2,000 IP addresses using ColdFusion exploits.

Oh hey look, it’s Brian Krebs again. Hey, Brian!

I want to point out a common phrase here: Deep Web Monitoring.
Were I to use a term like this to a novice user it sounds impressive — almost like Hold Security is deeply probing the Internet — judiciously locating and identifying information that has been breached and alerting the appropriate parties. What Hold Security is actually doing is logging into established .onion sites/forums/boards on TOR and essentially flipping through For Sale postings for user data and bragging posts for recent successful hacks. People pay him money to do this which, honestly, sort of drives me to believe that I am a Black-Hat-Gone-Hatless who really selected the wrong profession.

Here is Hold Security’s definition of what I just stated which understandably sounds much more complex. Additionally, here is Hold Security’s “Consumer Hold Identity Protection Service” offer — where you install an application and it tells you if you are at risk. If they happen to find your credentials when scanning Russian forums on TOR preforming a Deep Web Monitoring: “[…]we will ask you to provide an encrypted versions of your passwords to compare it to the ones in our database, so that we can let you know exactly which of your passwords have been compromised.” That seems reasonable. Last week my credit card was stolen and my bank called me to verify my credit card number. I’m glad they’re watching out for me.

“Sure (author), they may be absolutely sketchy but as a consumer I’m really looking for something like questionable Privacy Policies and Terms of Service. Does Hold Security offer that?”
I’m glad you asked. They sure do.

Privacy Policy
“We may disclose aggregated information about our users without restriction. We may disclose your personal information to our subsidiaries and affiliates, to service providers and other third parties we use to support our business, and to our business partners.” This wouldn’t be such a large deal if the information they were dealing with weren’t your user credentials and password(s).

Terms of Service
“9.2. When we obtain Customer Data or any other personal information about you, we may process such information outside of the country in which you are located, including in the United States. The countries in which we process the information may not have the same data protection laws as the country in which you are located. By using the Consumer Hold Identity Protection Service or otherwise providing any Customer Data or other personal information to us, you expressly consent to the transfer of such Customer Data and information to, and the collection and processing[…]” Data obtained by Russian phishers may return to Russian phishers for verification.

The more you dig — the more nothing about this adds up.

Since this is a blog and not a news story, allow me to speculate. Of Hold Security’s press releases, this one is my favorite:
“To help our customers we tracked over 300 million abused credentials that were not disclosed publicly (that is over 450 million credentials if you count our Adobe find). But this month, we exceeded all expectations! In the first three weeks of February, we identified nearly 360 million stolen and abused credentials and 1.25 billion records containing only email addresses.” (2/25/2014)

I highlighted a number I feel is pretty important. What Holden told the New York Times was a carefully worded falsehood. Holden himself has carefully collected this data over the span of a year or two, maybe even to the point of purchasing old U/P information. Hold Security is a passive form of security — they are not going out to find your data and wrangle it out of the hands of those Evil Russian Hackers (Holden is from the Ukraine). What they are doing is lurking TOR nodes observing chatter. I would almost go so far as to suggest that he has obtained access to multiple forum systems on TOR that require verification of l33t-krad-LoD-versus-MoD status. Holden throws together a giant list of antiquated loose account leads, pings the New York Times (a source he “found” was compromised previously) and tells a fantastical story about this massive cache of (completely outdated) U/P’s. Since lists like this have a very specific half-life, they were probably an aggregate of bargain bin purchases — thus why 4.1 billion quickly narrowed down to 1.2 billion and then to ~500 million unique email accounts: if I’m selling a list of 2 year old U/P’s there’s no reason for me not to grab a few lists from 3 years ago, tack those on to the end, call my offering “520,000 Login Credentials” instead of “210,000 Login Credentials”, and add a markup. U/P lists are the cold leads of the phishing world.

From Russell Brandom’s story on The Verge:

The biggest red flag of all, though, is that CyberVor isn’t trying to sell the data or use it to steal actual money. They’re using it for Twitter spam, the dark web equivalent of boiling the bones for stock. If there were anything else they could do with these passwords, it would be more lucrative and more sustainable than spamming. The fact that the crew is reduced to jacking Twitter accounts suggests the data is more about quantity than quality.

That’s the ultimate point here. Not Brian Krebs describing how he once demonstrated the exact method of a bot SQL injection that Holden blames as the cause of this, not Chase Cunningham running into the wrestling ring vowing that these criminals need to be caught and maybe he is the hero Gotham deserves, and not even the fact that the numbers provided by Hold Security in previous posts regarding the collection of U/P lists almost exactly matches the number that is being reported — but the fact that, to any individual who has ever been involved in pentesting websites while not on the payroll of that company: none of this makes sense. Were those passwords to all work, 500 million unique U/P’s is money in the bank and double that if you’re smart enough to extort those users with the information you find. Holden states they’re using them for Twitter spam. We’re either dealing with a group of idiot savants, or one savant idiot.

That’s how Alex Holden told a story to the New York Times, how the NY Times poorly corroborated said story, how Alex had a friend chime in to talk about his character, and how that story spread like wildfire — kind of like Back Orifice in the days of cDc. God, I miss cDc.

The moral of the story is:
Never trust the narrator.

Recent Posts

Recent Comments


Written by:


  1. […] a rather in-depth exposé_kmq.push(["trackClickOnOutboundLink","link_53e52c232f78e","Article link clicked",{"Title":"in-depth […]

Comments are closed, but trackbacks and pingbacks are open.