Credential-stuffing hackers reportedly break hearts, accounts at OkCupid

Dating can make people feel vulnerable enough, especially in the run up to Valentine’s Day, without hackers blocking access to their OkCupid accounts and potentially tapping their personal information.

Some users of the dating service recently claimed their accounts were hacked and their emails changed so that they couldn’t reset their passwords. But OkCupid continues to deny that it suffered a breach, according to a report from TechCrunch. Indeed, the incident appears to bear the hallmarks of a credential stuffing attack.

“There has been no security breach at OkCupid,” said Natalie Sawyer, a spokesperson for OkCupid, as quoted in the news report. “All websites constantly experience account takeover attempts. There has been no increase in account takeovers on OkCupid.”

The company’s protest, “despite a significant portion of its customer base being affected, clearly shows the company doesn't appropriately account for customer-facing risks in its threat modeling,” said Nick Hayes, former Forrester analyst and current vice president of strategy at IntSights. “Even if OkCupid is okay at protecting itself, it needs to take more ownership for how it monitors and mitigates external digital risks for its customers, and the company at large.”

A recent LastPass Psychology of Passwords survey found “91 percent of people know that using the same password for multiple accounts is a security risk,” but “nearly two-thirds admitted that they continue to do so anyway,” said company CTO Sandor Palfy. 

“Reports of hacked OkCupid accounts are a great reminder that even accounts like dating apps can hold information hackers find valuable,” and that passwords are a first line of defense to protect online information , he said. 

SailPoint’s CMO Juliette Rizkallah called for “people to be extra diligent about how they manage their personal access to data since consumer-facing breaches can potentially expose the enterprise as well.”

Credential stuffing has become more prevalent among hackers, leaving the personal and business accounts of users who don’t follow password best practices more vulnerable. 

“Protecting identity is key to the safety of your own personal data but also to the security of sensitive company data and files, too,” said Rizkallah. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.