Dating site PlentyOfFish hacked to expose passwords
The CEO of a popular online dating site said early Monday morning that hackers stole an unknown number of login credentials belonging to users.
Posting on his personal blog, Markus Frind, the creator of Canada-based PlentyOfFish.com, which reports 145 million monthly visitors, said the site illegally was accessed last week and that email addresses, usernames and passwords were downloaded.
"This was an incredibly well planned and sophisticated attack," Frind wrote.
He blamed the attack on Argentinean security researcher Chris Russo, who Frind claimed was working with Russian partners to extort money from PlentyOfFish.
Attempts to reach Frind for comment were unsuccessful.
Russo presented his side of the story, in an interview with Grumo Media, a video production company.
He said that he and his team discovered a SQL injection vulnerability on Jan. 21, which exposed in plain text the names, usernames, passwords, physical and email addresses, phone numbers and PayPal account data of more than 28 million members.
"This vulnerability was under active exploitation by hackers," Russo said. "The vulnerability, was properly documented by our team, without exposing any confidential user information. This...could allow any attacker to make a full backup of the databases used by the web sever, and or gain direct access into the site."
Russo said the bug was fixed and that PlentyOfFish remained in contact with him and his team because the site was interested in hiring them to analyze all of their platforms.
"While we were creating the legal documents in order to proceed, Markus Frind got progressively more aggressive and unresponsive with us, and told us to speak with their employees, Kate and Jay, because there was a serial killer, murdering people from the website," Russo said.
Then, on Sunday night, according to Russo, Frind threatened him to embarrass and sue him if any of the data was publicly exposed.
The bizarre he-said-she-said tale certainly does not absolve PlentyOfFish of the fact that its website was vulnerable to attack, Jeremiah Grossman, founder of website security firm WhiteHat Security, told SCMagazineUS.com on Monday.
He said PlentyOfFish should have conducted more active vulnerability scanning and code development.
"They should probably have been hacking themselves first, especially for a system that large for that many people," Grossman said. "They probably should have seen it coming. It's database permissions, it's encrypting your passwords and it's not being vulnerable to SQL injection."
Based on a video recorded by Russo and posted on YouTube, Grossman said the flaw didn't appear complex to exploit.
"It didn't look like Chris Russo had to do very much to bypass the filters," he said.
Users should be sure to change their PlentyOfFish passwords and any similar credentials they may be using at other sites and accounts, Grossman recommended.