The recent spate of dating site hack attacks shows no signs up letting up anytime soon.
From Krebs on Security’s eHarmony Hacked, which done a nice job covering the recent dating site hacks:
Online dating giant eHarmony has begun urging many users to change their passwords, after being alerted by KrebsOnSecurity.com to a potential security breach of customer information. The individual responsible for all the ruckus is an Argentinian hacker who recently claimed responsibility for a similar breach at competing e-dating site PlentyOfFish.com.
…(hacker) purported to have access to “different parts of the [eHarmony] infrastructure,” including a compromised database and e-mail channels. Provider was offering this information for prices ranging from $2,000 to $3,000.
Joseph Essas, chief technology officer at eHarmony, said Russo found a SQL injection vulnerability in one of the third party libraries that eHarmony has been using for content management on the company’s advice site – advice.eharmony.com. Essas said there were no signs that accounts at its main user site — eharmony.com — were affected.
Databases are a popular attack vector for hackers. eHarmony has a massive infrastructure (MapReduce, Hadoop, MySql, etc). Doing security audits is difficult enough, even more so on third-party software, or so I’m told.
Interesting fact: eHarmony also uses Hadoop to do real-time analysis of the effectiveness of its TV ads. They know exactly how much each commercial yields in new customers.
Another tidbit I found searching for stories about eHarmony’s infrastructure… Asked if eHarmony would ever consider taking its love-match algorithms into other match-making endeavors, Joseph Essas, vice-president of engineering and operations for eHarmony said: “We would definitely consider it. We are experimenting and playing with different businesses.” Hmm, interesting.
Final word: Every dating site out there should perform a security audit immediately. Failure to do so could result in another hack job, and that would not be good for the industry at all. This goes for top 10 sites, all of Spark Networks, White Label Dating, Dating Factory, Boonex, SkaDate and all of the other dating sit platforms.
Related posts:
{ 1 comment… read it below or add one }
Dave; It seems it was circulating between black hat hackers (the bad ones) a rumour about how to hack PlentyOfFish, eHarmony and other online dating sites. Some white hat hackers (the good ones) received that information and decided to prove if that was true.
It takes nearly 4 seconds to download the info from a profile using SQL injections, 15 profiles per minute, and 900 per hour.
21,600 per day, and 1,388 days to download a 30 million profiles database (3.8 years)
It also seems several online dating sites, like PlentyOfFish and eHarmony HAD BEEN ALERTED IN ADVANCE, during 2009 about security holes, but they had not paid the attention it deserved.
See also from June 2009
http://eharmony-blog.com/1519
“eHarmony is in big trouble: Have spammers hacked eHarmony Advice?”