Breach, Data Security, Threat Management, Vulnerability Management

eHarmony advice site hacked to expose user information

Less than a month after the dating site PlentyOfFish suffered a breach of customer data, rival eHarmony has confirmed that a hacker gained access to some of its users' information.

The hacker leveraged an SQL injection vulnerability on a secondary eHarmony relationship advice site called eHarmony Advice to obtain a file containing usernames, email addresses and hashed passwords.

The advice site, a free online community where members can discuss relationship issues, uses separate databases and web servers than the main eHarmony dating site, which was not affected, the online dating giant said in a statement.

“eHarmony.com, our matchmaking service, was not hacked as some other reports have incorrectly suggested,” Paul Breton, an eHarmony spokesman, told SCMagazineUS.com in an email Friday.

eHarmony has not revealed the number of users affected by the breach, but said less than .05 percent of its member base was impacted. According to the company's website, 33 million users across all 50 states and 191 countries have joined since the site's inception.

eHarmony said it has closed the vulnerability and notified affected customers.

“The security of our customers' information is extremely important to us, and we do not take this situation lightly,” an eHarmony spokeswoman wrote in a blog post Thursday. “We deeply regret any inconvenience this causes any of our users.”

The breach was first disclosed Thursday by security blogger Brian Krebs, who said an Argentinean security researcher told him late last year that he'd discovered vulnerabilities in eHarmony's network that allowed him to view the passwords and other information of tens of thousands of eHarmony customers.

The researcher, Chris Russo, also claimed responsibility late last month for a similar breach of online dating site PlentyOfFish.com.

Krebs reported that about a week ago, while trolling underground forum Carder.biz, he found an entry posted by a user with the handle “Provider” who was selling access to parts of eHarmony.com for $2,000 to $3,000.

Joseph Essas, chief technology officer at eHarmony, reportedly told Krebs that Russo tried to sell eHarmony security services to fix the vulnerabilities, but the company declined.

“Russo's fraudulent efforts to obtain money from us are most disturbing,” Essas told Krebs. “As such, we are exploring our legal rights and remedies as well.”

For his part, Russo told SCMagazineUS.com in an email Friday that he reported the vulnerability to eHarmony about three months ago, and the online dating site was appreciative.

“We just sent an email to them and made a couple of calls to be sure that everything was in place,” Russo said. “eHarmony.com replied in a very professional way and were pretty thankful with us.”

When questioned about the Carder.biz post, Russo told Krebs that he never attempted to sell a vulnerability that could allow access to eHarmony, but one of his business associates may have acted on his own to do so.

“I really have no reference about this,” Russo told SCMagazineUS.com. “However, I can say that it seems like all dating sites are taking a lot of interest from blackhats on the scene. It wouldn't surprise me if someone other than us finds a vulnerability if they are looking for it. Most of the web is insecure.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.