Online dating giant eHarmony has begun urging many users to change their passwords, after being alerted by KrebsOnSecurity.com to a potential security breach of customer information. The individual responsible for all the ruckus is an Argentinian hacker who recently claimed responsibility for a similar breach at competing e-dating site PlentyOfFish.com.
Late last year, Chris “Ch” Russo, a self-styled “security researcher” from Buenos Aires, told me he’d discovered vulnerabilities in eHarmony’s network that allowed him to view passwords and other information on tens of thousands of eHarmony users.
Russo first alerted me to his findings in late December, right after he said he first began contacting site administrators about the flaw. At the time, I sent messages to several of the administrative eHarmony e-mail addresses whose passwords Russo said he was able to discover, although I received no response. Russo told me shortly thereafter that he’d hit a brick wall in his research, and I let the matter drop after that.
Then, about a week ago, I heard from a source in the hacker underground who remarked, “You know eHarmony got hacked, too, right?” I quickly checked several fraud forums that I monitor, and soon found a curious solicitation from a user at Carder.biz, an online forum that enables cyber crooks to engage in a variety of shady transactions, from buying and selling hacked data and accounts to the purchase and/or renting of criminal services, such as botnet hosting, exploit packs, purloined credit card and consumer identity data. The seller, using the nickname “Provider” and pictured in the screen shot below, purported to have access to “different parts of the [eHarmony] infrastructure,” including a compromised database and e-mail channels. Provider was offering this information for prices ranging from $2,000 to $3,000.
When I contacted Russo about this development, he initially said that he never did anything with his findings, although later in the conversation he conceded it was possible that an associate of his who also was privy to details of the discovery may have acted on his own. At that point, I contacted eHarmony’s corporate offices and shared a copy of the screen shot and information I’d obtained from Russo.
Joseph Essas, chief technology officer at eHarmony, said Russo found a SQL injection vulnerability in one of the third party libraries that eHarmony has been using for content management on the company’s advice site – advice.eharmony.com. Essas said there were no signs that accounts at its main user site — eharmony.com — were affected.
“The SQL dump contained screen names, email addresses, and hashed passwords for account login on the Advice site. Once we learned about the nature of the exploit, we obviously closed it on the network layer and offered the third party vendor help with patching the software, as we do not have access to their source code,” Essas said. “Despite his reports to you, we have found no evidence to suggest that Russo has successfully compromised at the network level our corporate email and eHarmony site environments.”
Essas said Russo approached eHarmony offering to sell security services to help the company fix the flaws, which eHarmony declined.
“Russo’s fraudulent efforts to obtain money from us are most disturbing,” Essas said. “As such, we are exploring our legal rights and remedies as well.”
Essas added that “in addition to continuing to assess the situation, we are taking some proactive precautionary measures,” although he declined to say what those measures might be. However, on Wednesday evening, I heard from an eHarmony user who said she had just received an e-mail from the company urging her to change her password.
In the same carder.biz forum, the hacker calling himself “Provider” also is advertising data from other popular Web sites, ostensibly those that he or an associate hacked. For example, one post offers to “1,500,000 American usernames, passwords, emails and more” allegedly taken from the database of small business services provider diversitybusiness.com, for $1,500. In addition, this miscreant also is selling access to the customer database for online electronics store pixmania.com and computer game vendor eidos.com, for similar amounts. Neither diversitybusiness.com nor pixmania.com responded to requests for comment. The general counsel for eidos.com, a division of the Square Enix Group, said the company was investigating the claim but declined to comment further.