eHarmony dating site got hacked into, passwords stolen
February 11, 2011
Online dating site eHarmony is asking its users to change their passwords following the discovery of a security breach on its servers.
An SQL injection security vulnerability on a secondary site created a means for screen names, email addresses and hashed passwords to be extracted from the two sites, said the senior management at eHarmony.com.
The site's managers are in the process of advising a number of users to change their login credentials as a precaution, while maintaining there has been no breach on its main site and that what security issues there were only affected a small percentage of its members that used its advice site as per this statement:
"Some data was obtained without authorization from an ancillary informational site we operate outside of our network, eHarmony Advice, which uses completely separate databases and web servers than eHarmony.com. From one eHarmony Advice master database, the hacker was successful in obtaining a file that included full user names, email addresses and passwords. User names and passwords are needed to gain access to the message boards on the eHarmony Advice site."
Possible Internet security issues involving the eHarmony network were discovered some weeks ago by the same Argentinian hacker, Chris Russo, who got into an argument with rival dating site PlentyOfFish.com over the disclosure of similar security holes on that site last week.
Brian Krebs found that someone using the moniker ‘Provider’ was offering to sell what purported to be a copy of eHarmony’s compromised database for between US $2,000 and US $3,000 via underground carding forums. Krebs suspects Provider is either Russo or a business associate of Russo.
Both eHarmony’s chief technology officer Joseph Essas and PlentyOfFish.com chief exec Markus Frind accuse Russo of running a fraudulent shakedown, reporting problems with the sites and then offering to fix them in return for a consultancy fee.
Essas blamed third party libraries that eHarmony used for content management on its advice site for breach. Aziz Maakaroun, business development director at vulnerability management specialist Outpost 24, said the timing of the news of the breach, days before Valentine's Day, could hardly come at a worse time for eHarmony.
“In the run up to Valentine’s Day, the timing of this purported breach could be fairly disastrous for dating websites, especially eHarmony," Maakaroun said. "For any existing customer, being told that your details have potentially been hacked is hardly an aphrodisiac."
Maakaroun added that the use of Internet application scanning tools and more specifically, port scanners can easily help identify and correct the most common types of security vulnerabilities eHarmony suffered from this attack.
You can link to the Internet Security web site as much as you like.