Around 30 million people may be impacted after a database breach at online dating site PlentyOfFish.com leaving usernames, passwords and emails compromised.
According to media reports, a security hole was revealed by PlentyOfFish CEO Markus Frind which he promised had been closed and all passwords reset. He confirmed that 345 accounts were successfully exported and that hackers had attempted to negotiate with Plentyoffish to ‘hire' them as a security team and if it failed to cooperate, the hacked accounts would be released to the press.
Initially the blame was put on security blogger Brian Krebs for his involvement, with claims made that KrebsOnSecurity.com was involved in an elaborate extortion plot. Krebs said that by being implicated you in an alleged extortion scheme, two things become clear: you are probably not going to get any real answers to your direct questions about the incident; and the company almost certainly did have a serious breach.
Krebs said that he had been contacted by an Argentinian hacker earlier this month who said he had found bugs in PlentyOfFish.com that let them view account and password information on any member.
“He said the information was being circulated in the hacker community and that he could prove the flaws existed if I simply created a free user account on the site. I did so, and Russo proceeded to read me my registration information,” he said.
“For the past ten days, Frind has promised a response, but otherwise dodged my emails. I began actually writing up a blog post about this hack yesterday. This morning, I awoke to find a rambling blog post that indirectly accuses me of participating in an extortion scam, before mildly backtracking from that claim.
“At one point in Frind's post, he says he grew particularly alarmed when he saw that Russo (the hacker) and I were ‘friends' on Facebook. Good thing he didn't check the kinds of people I'm following on Twitter: he might have really had a heart attack!”
In response, Frind said: “Just to be clear, Krebs didn't have anything to do with this. I was trying to convey how the hacker tried to create a mass sense of confusion at all times so you never know what is real and what is not.”
In regard to the database leak itself, Krebs said: “Part of the reason PlentyOfFish.com has a problem is because its database is insecure. PlentyOfFish.com claims to have closed the security hole and reset all user passwords, but on top of that the company appears to store its customer and user passwords in plain text, which is a Security 101 no-no.
“Companies that fail to take even this basic security step and then look for places to point the finger when they get hacked show serious disregard for the security and privacy of their users.”
Ash Patel, country manager UK & Ireland for Stonesoft, told SC Magazine that the problem is that there is no information on how many records were compromised and how the data has been used since.
He said: “The database is a never-ending solution with the more that we rely on the internet. We are only a window away from a public domain and this is another example of it not just affecting government or financial institutions, who would have thought about a dating agency? Everyone carries important information and you do not have to be dealing with money day in day out to apply a good security policy.”
He also claimed that this was an example of how a web application was developed with security the last consideration after ease of use and speed to market.