Hacker lays bare lonely hearts site

By on

User details purloined from SQL injection exploit wind up on blackhat e-commerce site.

Just in time for Valentine's Day and less than a month after dating site PlentyOfFish's customer data was breached, rival eHarmony confirmed that a hacker accessed its users' information.

The hacker leveraged an SQL injection vulnerability on a secondary eHarmony relationship advice site called eHarmony Advice to obtain a file containing usernames, email addresses and hashed passwords.

The advice site, a free online community where members can discuss relationship issues, uses separate databases and web servers than the main eHarmony dating site, which was not affected, the online dating giant said in a statement.

“eHarmony.com, our matchmaking service, was not hacked as some other reports have incorrectly suggested,” Paul Breton, an eHarmony spokesman said.

It has not revealed how many users were affected but said less than .05 percent of its members were impacted. According to the company's website, 33 million users in the US and 191 countries have joined since the site's inception.

eHarmony said it has closed the vulnerability and notified affected customers.

“The security of our customers' information is extremely important to us, and we do not take this situation lightly,” an eHarmony spokesman wrote in a blog post Thursday. “We deeply regret any inconvenience this causes any of our users.”

The breach was disclosed last Friday by security blogger Brian Krebs, who said Argentine security researcher Chris Russo told him late last year that he found vulnerabilities in eHarmony's network that allowed him to view the passwords and other information of thousands of its customers.

Russo claimed responsibility late last month for a similar breach of online dating site PlentyOfFish.com.

Krebs reported that about a week ago, while trolling underground forum Carder.biz, he found an entry posted by a user with the handle “Provider” who was selling access to parts of eHarmony.com for $us2000 ($A1998) to $3000.

Joseph Essas, chief technology officer at eHarmony, told Krebs that Russo tried to sell eHarmony security services to fix the vulnerabilities, but the company declined.

“Russo's fraudulent efforts to obtain money from us are most disturbing,” Essas told Krebs. “As such, we are exploring our legal rights and remedies as well.”

Russo said that he reported the vulnerability to eHarmony about three months ago, and the online dating site was appreciative.

“We just sent an email to them and made a couple of calls to be sure that everything was in place,” Russo said. “eHarmony.com replied in a very professional way and were pretty thankful with us.”

When questioned about the Carder.biz post, Russo told Krebs that he never attempted to sell a vulnerability that could allow access to eHarmony, but one of his business associates may have acted on his own to do so.

“I really have no reference about this,” he said.

“However, I can say that it seems like all dating sites are taking a lot of interest from blackhats on the scene. It wouldn't surprise me if someone other than us finds a vulnerability if they are looking for it. Most of the web is insecure.”

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?