Online dating giant eHarmony has begun urging many users to alter their passwords, after existence alerted to a potential safety breach of client information. The private responsible for all the ruckus is an Argentinian hacker who late claimed responsibleness for a like breach at competing e-dating site PlentyOfFish.com.
Late terminal year, Chris “Ch” Russo, a self-styled “security researcher” from Buenos Aires, told me he’d discovered vulnerabilities inwards eHarmony’s network that allowed him to sentiment passwords in addition to other information on tens of thousands of eHarmony users.
Russo laid out alerted me to his findings inwards slowly December, correct after he said he laid out began contacting site administrators nigh the flaw. At the time, I sent messages to several of the administrative eHarmony e-mail addresses whose passwords Russo said he was able to discover, although I received no response. Russo told me shortly thereafter that he’d striking a brick wall inwards his research, in addition to I allow the thing drib after that.
Then, nigh a calendar week ago, I heard from a source inwards the hacker hugger-mugger who remarked, “You know eHarmony got hacked, too, right?” I rapidly checked several fraud forums that I monitor, in addition to shortly flora a curious solicitation from a user at Carder.biz, an online forum that enables cyber crooks to engage inwards a variety of shady transactions, from buying in addition to selling hacked information in addition to accounts to the purchase and/or renting of criminal services, such equally botnet hosting, exploit packs, purloined credit bill of fare in addition to consumer identity data. The seller, using the nickname “Provider” in addition to pictured inwards the covert shot below, purported to cause got access to “different parts of the [eHarmony] infrastructure,” including a compromised database in addition to e-mail channels. Provider was offering this information for prices ranging from $2,000 to $3,000.
When I contacted Russo nigh this development, he initially said that he never did anything amongst his findings, although after inwards the conversation he conceded it was possible that an associate of his who also was privy to details of the uncovering may cause got acted on his own. At that point, I contacted eHarmony’s corporate offices in addition to shared a re-create of the covert shot in addition to information I’d obtained from Russo.
Joseph Essas, primary applied scientific discipline officeholder at eHarmony, said Russo flora a SQL injection vulnerability in 1 of the 3rd political party libraries that eHarmony has been using for content administration on the company’s advice site – advice.eharmony.com. Essas said at that spot were no signs that accounts at its main user site — eharmony.com — were affected.
“The SQL dump contained covert names, electronic mail addresses, in addition to hashed passwords for describe of piece of employment concern human relationship login on the Advice site. Once nosotros learned nigh the nature of the exploit, nosotros apparently unopen it on the network layer in addition to offered the 3rd political party vendor aid amongst patching the software, equally nosotros produce non cause got access to their source code,” Essas said. “Despite his reports to you, nosotros cause got flora no prove to advise that Russo has successfully compromised at the network grade our corporate electronic mail in addition to eHarmony site environments.”
Essas said Russo approached eHarmony offering to sell safety services to aid the companionship laid upwardly the flaws, which eHarmony declined.
“Russo’s fraudulent efforts to obtain coin from us are most disturbing,” Essas said. “As such, nosotros are exploring our legal rights in addition to remedies equally well.”
Essas added that “in add-on to continuing to assess the situation, nosotros are taking approximately proactive precautionary measures,” although he declined to nation what those measures mightiness be. However, on Wed evening, I heard from an eHarmony user who said she had but received an e-mail from the companionship urging her to alter her password.
In the same carder.biz forum, the hacker calling himself “Provider” also is advertising information from other pop Web sites, ostensibly those that he or an associate hacked. For example, 1 post offers to “1,500,000 American usernames, passwords, emails in addition to more” allegedly taken from the database of pocket-size describe of piece of employment concern services provider diversitybusiness.com, for $1,500. In addition, this miscreant also is selling access to the client database for online electronics store pixmania.com and reckoner game vendor eidos.com, for like amounts. Neither diversitybusiness.com nor pixmania.com responded to requests for comment. The full general counsel for eidos.com, a partition of the Square Enix Group, said the companionship was investigating the claim but declined to comment further.
Share This :
comment 0 Comments
more_vert