In Plentyoffish Hacked, Usernames and Passwords Stolen, Mashable says that Plentyoffish was hacked by Argentinian hacker Chris Russo, who did it under his own name, without taking precaution to hide his identity.
Plentyoffish founder Markus has a lengthy blog post explaining his personal side of the story.
Of the post, Mashable says:
The entire blog post is interesting mostly due to its weirdness, as it involves a shady business partner, Frind e-mailing Russo’s mother, and hints about Russo’s other hack-and-extort operations.
The story gets even more convoluted as Chris Russo’s side of the story is revealed in a blog post on Grumo Media. Russo claims he’s merely a security researcher, who had discovered a security hole on Plentyoffish, which was already “under active exploitation by hackers.”
Russo and his team disclosed the vulnerability to Frind’s wife, he claims, and Frind and her were “interested in hiring us as security professionals in order to make an analysis of the plataforms.” However, the relationship quickly deteriorated, with Frind accusing Russo that he stole Plentyoffish’s database, threatening not only to sue him, but also to “destroy” his life.
This is quite the clusterf*ck all around. Markus didn’t secure his site enough (nobody every does), passwords possibly stored without enough security (doh!), lots of people coming to the side of the supposed hackers, which may or may not be security consultants looking for work. And to top it off Markus contacted the supposed-hackers mom.
For a while Mark Brooks was doing PR for Plentyoffish. This is what happens when you don’t have an external team managing PR nightmares like this. People think that PR is about sending out press releases. Its also about dealing with disasters like POF is going through right now. Most dating sites don’t think about the potential revenue drop, they say “we’re not going to spend a few grand a month on PR because we can do it ourselves.” Wrong answer.
These hacking scenarios happen all the time on filesharing networks, but I have never heard this much publicity about a dating site getting hacked. Interesting to note that there are other possible dating sites on the “hackers” target list.
But is this a situation where a hacker alerted Plentyoffish to a security hole and things got out of hand, or something else? Too soon to tell.
Dating sites are usually quite lax when it comes to security because the smaller ones won’t pay a consultant to test and harden their sites.
I’m not a security guy but even I hashed user passwords using a password-unique salt when I ran Profile Doctor.
The reality of the situation is that dating sites gets hacked all the time. Nobody does enough about security and POF doesn’t come out looking very good. More hackers will go after dating sites, next month someone else will get hacked and nobody will know about it because hackers only like to talk about big exploits.
No word if the security issue also affects eVow, which is Plentyoffish’s eHarmony-style subscription site. We’ll just have to wait for Plentyoffish’s official statement about the intrusion later today.
