I'm still highly skeptical about the motives behind the report. Its obvious to anyone in tech that there is no "new" exploit, else Hold Security would be releasing the vulnerability to software developers. Instead, they just say they have "contacted" (aka sales pitch'd) companies that they have confirmed have been hacked. Now that all the companies that you have proof were hacked have paid you or turned you down, you release a public story in the NYT that comes out during Black Hat and scare other companies into purchasing your "service" of checking to see if they were in the hacked companies.<p>So basically, Hold Security is charging 120/year for the ability to ask some secret, professional Russian hackers if your site was in fact one of the sites they hacked.