With Valentine’s Day just around the corner, many of us would expect to hear the usual warnings about scammers trying to convince people to send money in the name of love.
In a typical online dating ruse, a scam artist would create a fake profile, gain the trust of an online love interest, and then ask them to wire money to some overseas location. But here’s an unlikely but true story that recently played out for the CEO of popular dating website PlentyofFish.com.
The CEO, Markus Frind, was lured into a brazen tale that included 345 hacked member accounts, approximately 30 million member profiles at risk, and an extortion sub-plot. The hackers allegedly sought to be hired as part of a security team or else they would release hacked member profiles to the press.
The PlentyofFish team quickly closed the security breach and spent several days testing its systems to ensure no other vulnerabilities were found. The team also sent the following message to its members:
“As a security precaution we have reset everyone’s password on PlentyofFish. If you used your PlentyofFish password elsewhere we suggest you reset it. Even if you didn’t, resetting all your passwords every 6 months is a good idea. We did this after a hacker came to us telling us he had access to our data.”
Frind called it “an incredibly well-planned and sophisticated attack” and blogged at length about what he was told during the extortion attempt. He wrote that the hackers claimed the following:
“The Russians have complete access to everything including our bank accounts, and they want to steal about $30 million from a string of dating sites including ours. Not only that, he tells us 5 or 6 other dating sites in the industry have been breached, and he gives me what he claims is the administrative password for a dating company I won’t name but it’s very famous. He claims the reason he knows all this is because Russians have taken over his computer and he can see everything they are doing.”
Frind also wrote that the hackers said:
“We should find a way to work together as they are a security company. In exchange for complete access to all of our source code and SQL servers they can make sure we aren’t attacked again. Now they want us to sign NDAs, contracts etc. They also claim they know the locations of where the Russians dumped our data and they can delete it.”
Meanwhile, the alleged hacker has defended himself, positioning himself as a security researcher only trying to help after discovering a security breach. He told Canadian newspaper The Province, “There wasn’t extortion at all, we never asked for a penny. The truth is that my team reported a flaw…for free, and with good intentions.”
The Washington Post security expert — who is mentioned in Frind’s drama-filled blog — writes on his own blog that the dating website’s database is “insecure.” He also warns:
“The company appears to store its customer and user passwords in plain text, which is a Security 101 no-no. Companies that fail to take even this basic security step and then look for places to point the finger when they get hacked show serious disregard for the security and privacy of their users.”
In the meantime, the Vancouver-based company says it plans to hire several security companies to perform an external security audit.
While this story is a bit unusual, it is an excellent reminder to proceed very carefully on any website that doesn’t encrypt your login information. It is also a good reminder not to use the same user name/password combination for all websites that require login information. Do you alter user names and passwords frequently? What other measures do you take to keep your identity protected online?