Love Stinks: Dating Sites Become Hacker’s Playpen
By Gabriel Perna | February 13, 2011 3:34 AM EST
There's nothing beautiful or loving about the recent web security trend that has seen more hackers take aim at dating sites.
Whether its eHarmony, Plenty of Fish or just a rogue Valentine's Day application on Facebook, scammers have taken advantage of the upcoming love-based holiday in a major way. Chester Wisniewski, senior security adviser at security consulting firm Sophos, said this time of year hackers like to prey off people's loneliness.
"When people are lonely, the internet becomes a great way to meet others. In our desperation, we sometimes disclose too much information. These dating sites become a playground for the criminals. You are really vulnerable," Wisniewski said.
Recently, eHarmony said its ancillary advice (advice.eharmony.com) site got hacked. A hacker obtained a file that included user names, email addresses and hashed passwords. The company said the site has a different database and server from the popular eHarmony.com. It said there is very little overlap between the eHarmony Advice data obtained and the data that resides within other properties.
"We have taken appropriate steps to remedy the situation and have notified any potentially affected customers, who comprise an extremely small fraction of our total eHarmony.com user base (less than 0.05 percent)," a company spokesperson said in an emailed statement.
eHarmony was not the only dating site to feel the wrath of the hacking community. Vancouver, B.C.-based Plenty of Fish announced a few weeks ago a hacker had gained access to its database, and logs from 345 accounts were exported.
"Hackers attempted to blackmail Plentyoffish into 'hire' them as a security team. If Plentyoffish failed to cooperate, hackers threatened to release hacked accounts to the press. The breach was sealed in minutes and the Plentyoffish team had spent several days testing its systems to ensure no other vulnerabilities were found. Several security measures, including forced password reset, had been imposed," the company's chief executive Markus Frind said in a statement on his blog.
Both dating site hacks were initially reported by former Washington Post security reporter and current blogger Brian Krebs. In his blog, Krebs On Security, Krebs said both attacks were made by a young Argentinean hacker, Chris Russo. In both cases, the companies affected said Russo tried to extort them. Another dating site, Zoosk, has also been the target of hackers in the recent past.
"Any place where people are disclosing information is going to be targeted," Wisniewski said. "If you disclose your age, sex, hobbies, school, location; that will be targeted. Dating sites are no different than Facebook."
Wisniewski's own company Sophos recently reported a data stealing scam which actually combined both Facebook and the Valentine's Day love theme. According to Wisniewski's associate Graham Cluey, scammers are using fake Facebook applications to obtain people's data.
The users are being tricked into clicking on messages which pretend to be from their online friends. The fake message tells the user how to find out who their Valentine is and how to put a heart or love poem on their sweetheart's wall. From there, the Facebook applications, titled Valentine's Day and Special Valentine, ask for user's permission to "access basic information." By clicking on allow, the scammers get access to a user's name, photograph, gender and information about their friends.
Wisniewski said these kinds of Valentine's Day, love type scams have been around for a while. For instance, he said a number of malicious e-cards typically make the rounds across the internet this time of year pretending to be from someone a user knows. In reality, the card is a way for hackers to run a dangerous code on a victim's computer.
"This is probably the peak time for Valentine's Day scams," Wisniewski said.
To contact the reporter responsible for this story call (646) 461 6920 or email g.perna@IBTimes.com.