300 Million Users Risking Their Personal Data on Hacked Online Dating Site

Bob Styran, IT audit expert
February 01, 2011 /

At least 30 million internet users are facing the risk from security breach as PlentyOfFish.com, an online dating site, fell prey to a hacker that breached the customers’ account information containing passwords and other personal data.

Security expert Brian Krebs has said in a blog that the security breach owed to the weak and vulnerable system of the website, adding that PlentyOfFish.com has violated the basic security rules online when it stored the passwords of customers as plain text rather than in encrypted form.

The website’s founder, Markus Frind, initially accused Krebs of getting involved with the cyber crime allegedly committed by Argentinian hacker Chris Russo who, Frind claimed, had tried to extort money from him.

Krebs admitted Russo had informed him earlier this month of a vulnerability he found in PlentyOfFish.com.

“On January 19, I heard from Russo, who told me he and some friends had found bugs in pof.com that let them view account and password information on any PlentyofFish user. He said the information was being circulated in the hacker community, and that he could prove the flaws existed if I simply created a free user account on the site. I did so, and Russo proceeded to read me my registration information,” Krebs wrote.

However, Krebs said he had immediately informed Frind of the information he received from Russo, but Frind did not return his messages.

“For the past 10 days, Frind has promised a response, but otherwise dodged my emails. I began actually writing up a blog post about this hack. This morning (January 31), I awoke to find a rambling blog post that indirectly accuses me of participating in an extortion scam, before mildly backtracking from that claim,” Krebs wrote.

Frind promptly updated his blog to recant initial statements accusing Krebs, saying “I was trying to convey how the hacker tried to create a mass sense of confusion at all times so you never know what’s real and what is not.”

In further response to Frind’s initial statement, Krebs wrote in his blog, “Companies that fail to take even this basic security step and then look for places to point the finger when they get hacked show serious disregard for the security and privacy of their users.”

On the other hand, Frind confirmed that based on the website’s log files, only 345 customers had their personal data stolen by the hacker.

 

Share your opinion