Call it the hack whipsaw.
A computer security company — it is rarely a government entity — comes out with a new report. Millions of stolen passwords. Tens of millions. No, hundreds of millions.
The point is apparent: This is a big deal.
Then it becomes clear this company is not simply informing the world out of some sort of noblesse oblige: It is trying to make money.
That Hold Security, the company that said on Tuesday it had discovered an enormous database of stolen records in the hands of Russian hackers, is trying to make money is clear.
Hold Security now offers, for $120 per month, what it calls a Breach Notification Service, announced the same day the size and scope of the breach was reported. It is described as a real-time monitoring service that will alert companies if they come under attack, in addition to checking for vulnerabilities to the breach Hold Security uncovered.
Hold Security is also offering an identity monitoring service for individuals. The site says the service will be free for 30 days. It is not clear if there will be a charge after that.
If Hold Security discovers your email address in its database of stolen credentials, it says it will ask you to send encrypted versions of your password to compare against the database.
Yes, it's certainly confusing — and off-putting. Does this mean you should ignore Hold Security's report, or the many other alarming reports that came before it?
No. But you shouldn't have needed the latest scary evidence to be worried about your online security.
The web, as Roger Rawlinson, a group managing director at NCC Group, which owns the security consulting firm iSEC, points out, was not built to secure information, it was built to share it. We're now trying to bolt on security after the fact, and hackers are outpacing those efforts.
I have a personal perspective on this, since I was the victim of identity theft late last year. Someone opened several credit cards in my name at Best Buy, Fry's, Kohl's and Macy's.
I originally assumed it was the result of the data theft at Target, which compromised about 70 million customer records.
But a few weeks after I contacted the fraud departments of all four stores and filed a police report, I got a call from the small bank that issues cards for Fry's, First Electronic Bank in Utah.
The security officer there told me there had been an arrest in my case, and that the identity theft ring that was using my personal information knew almost everything about me. So much, in fact, that it was able to answer so-called "challenge questions" about my credit history in order to open cards in my name.
And once the identity theft nightmare starts, it is very hard to stop.
Even after I reported the fraud to Macy's and sent them a copy of the police report I filed, they continued to bill me for months and even reported me to collections. At that point, a very angry phone call put an end to the problem.
But I still get promotional email from all four companies because I am, after all, now in their databases. Could I have stopped the identity theft with better password security? Possibly. They found their way in somehow.
It bears repeating: Be smarter about passwords. Make sure they're not easily guessed, and don't reuse passwords across any sites that contain important information. That way, if one is compromised (and it almost certainly will be at some point), it can't take down your entire digital identity.
Set up multifactor authentication — that is, multiple steps like a password and a text sent to your smartphone — where it's available. It's worth the effort. Be careful about what data you give out online: Use fake birth dates and make up your mother's maiden name, if need be.
Assume it's the Wild West out there. And be happily surprised when it is not.