e-Harmony Breached, But It’s OK

Online dating site eHarmony is asking some of its users to change their passwords following the discovery of a security breach, even though it claims that the main site was not involved, just a secondary site that uses a seperate login and database structure.  What do you think the chances are that a given, non-security aware or concerned user will use a different login name or use a different password?

An SQL injection vulnerability on a discussion forum site created a possible means for screen names, email addresses and hashed passwords to be extracted.  Chris Russo, who got into a dispute with PlentyOfFish.com dating site owner over disclosure of similar problems on that site last week.  Someone using the handle ‘Provider’ was offering to sell a copy of eHarmony’s compromised customer database for around US$3000 in underground carding forums.  Krebs suspects Provider is either Russo or a business associate of Russo.

This breach takes place just after the PlentyofFish incident and as we run up to Valentines Day.  Not a good time to be single on the Internet.

Read Brian Krebs’ account of events here.