Online dating site eHarmony is asking some of its users to change their passwords following the discovery of a security breach, even though it claims that the main site was not involved, just a secondary site that uses a seperate login and database structure. What do you think the chances are that a given, non-security aware or concerned user will use a different login name or use a different password?
An SQL injection vulnerability on a discussion forum site created a possible means for screen names, email addresses and hashed passwords to be extracted. Chris Russo, who got into a dispute with PlentyOfFish.com dating site owner over disclosure of similar problems on that site last week. Someone using the handle ‘Provider’ was offering to sell a copy of eHarmony’s compromised customer database for around US$3000 in underground carding forums. Krebs suspects Provider is either Russo or a business associate of Russo.
This breach takes place just after the PlentyofFish incident and as we run up to Valentines Day. Not a good time to be single on the Internet.
Read Brian Krebs’ account of events here.