Online dating site eHarmony has been hacked, eHarmony is asking some of its users to change their passwords after being alerted by KrebsOnSecurity to a potential security breach of customer information. Aziz Maakaroun, business development director at vulnerability management specialist Outpost24 said- “In the run up to Valentine’s Day, the timing of this purported breach could be fairly disastrous for dating website eHarmony,” Maakaroun said. “For any existing customer, being told that your details have potentially been hacked is hardly an aphrodisiac.”
Databases are a popular attack vector for hackers. A SQL injection vulnerability (An attack technique used to exploit web sites by altering backend SQL statements through manipulating application input) on a secondary site created a possible means for screen names, email addresses and hashed passwords to be extracted. eHarmony has a massive infrastructure (MapReduce, Hadoop, MySql, etc). Doing security audits is difficult enough, even more so on third-party software.
Chris Russo, a self-styled “security researcher” from Buenos Aires, and Brian Krebs, author of the KrebsOnSecurity blog alerted eHarmony’s corporate offices about potential exploit to the eHarmony database, which is the most sensitive thing where all the email addresses and passwords may have been compromised. But, Joseph Essas who is chief technology officer at eHarmony denies it by claiming, “Despite his reports to you, we have found no evidence to suggest that Russo has successfully compromised at the network level our corporate email and eHarmony site environments.”
Essas believes that Russo is trying to obtain money from the company by his fraudulent efforts. He said that “in addition to continuing to assess the situation, we are taking some proactive precautionary measures,” but he is not specific that what those measures may be. Kerbs claimed that he has heard from an eHarmony user who said she had received an email from the eHarmony urging her to change her password. eHarmony is in the process of advising a small number of users to change their login credentials as a precaution.
Russo told that he’d discovered vulnerabilities in eHarmony’s network that allowed him to view passwords since December of last year. Through Carder.biz which is an online forum that enables cyber crooks to engage in a variety of shady transactions, both Krebs and Russo found a curious solicitation from a user there. A seller using the nickname “Provider”, claims to have access to “different parts of the [eHarmony] infrastructure and exploit database and e-mail channels by from buying and selling hacked data and accounts to the purchase and/or renting of criminal services, such as botnet hosting, exploit packs etc. Provider was offering this information for prices ranging from $2,000 to $3,000.
The hacker is also advertising data from other popular websites such as www.diversitybusiness.com, www.pixmania.com and www.eidos.com in the same forum, which he or his associates may have hacked as well. So, Every dating site out there should perform a security audit immediately in order to protect them from hacking.