31
Jan 11

PlentyofFish.com Hacked, Blames Messenger

facebooktwittergoogle_plusredditpinterestlinkedinmail

Hackers have breached the database of online dating site PlentyOfFish.com, exposing the personal and password information on nearly 30 million users. In response, the company’s founder has implied that the editor of KrebsOnSecurity.com was involved in an elaborate extortion plot.

Getting hacked is no fun. Learning that you’ve been hacked when a reporter calls is probably even less fun. But for better or worse, I have notified dozens of companies about various breaches over the years, and I’ve learned to read between the lines in how victims respond. Usually, when the company in question replies by implicating you in an alleged extortion scheme, two things become clear:

1) You’re probably not going to get any real answers to your direct questions about the incident, and;

2) The company almost certainly did have a serious breach.

Earlier this month, I was contacted by an Argentinian hacker named Chris “Ch” Russo, who said he’d found flaws in pof.com. In July 2010, Russo had alerted me to some security vulnerabilities he’d claimed to have found in the Web site of ThePirateBay.org, which he said exposed password and other data on millions of TPB users. On Jan. 19, I heard again from Russo, who told me he and some friends had found bugs in pof.com that let them view account and password information on any PlentyofFish user. He said the information was being circulated in the hacker community, and that he could prove the flaws existed if I simply created a free user account on the site. I did so, and Russo proceeded to read me my registration information.

That was enough for me to fire off an e-mail to pof.com Founder Markus Frind. When two days elapsed and I still hadn’t received a reply, I asked Russo if he had any other contact information for Frind or other pof.com administrators. Why sure, he had them all, he said. He gave me the phone number of Frind’s friend, Annie. A woman named Kate answered when I called, but said she would relay my message.

For the past 10 days, Frind has promised a response, but otherwise dodged my emails. I began actually writing up a blog post about this hack yesterday. This morning, I awoke to find a rambling blog post that indirectly accuses me of participating in an extortion scam, before mildly backtracking from that claim. At one point in Frind’s post, he says he grew particularly alarmed when he saw that Russo and I were “friends” on Facebook. Good thing he didn’t check the kinds of people I’m following on Twitter: He might have really had a heart attack!

Part of the reason pof.com has a problem is because its database is insecure. POF claims to have closed the security hole and reset all user passwords. But on top of that, the company appears to store its customer and user passwords in plain text, which is a Security 101 no-no. Companies that fail to take even this basic security step and then look for places to point the finger when they get hacked show serious disregard for the security and privacy of their users.

Tags: , ,

89 comments

  1. POF also e-mails its passwords in the clear as part of its reminders on a regular basis to members. That’s just clearly stupid.

    • I’m replying to my own comment. POF just sent me a reminder e-mail with out the password in the clear. I hope it was my comment and this article that woke POF up. Either way, good job, Brian, as it’s Internet sites like this that watchdog the Internet for security. In my humble opinion, your site is the best at what it does.

      • i was instant msg;d by a woman on site , we talked a bit and since we live near by she wanted my number i gave it to her and she blocked me then i recieved 10 phone calls from strangers saying my picture and number were posted on some chan site? but as u there’s no one to complain to as this markas never replys ..
        what would u do to report these types of events?
        frank

  2. Jesus Brian,
    This story just gets weirder and weirder. Having been a reporter once myself, I can relate to people wanting to shoot the messenger, but I wonder how many of these folks realize how stupid they look when they do it in print/online? I mean, really? Your security sucks, it exposes your users to criminals and who’s to blame? Not your site architect or your App security person (assuming you have one), but the guy who alerted you to the problem and the person who exposed it to the world. Here’s a tip for Frind that seems pretty obvious to me. Put your energy into cleaning up your mess and protecting your customers, before they all bail on you.
    Keep up the great work Brian.
    Best,
    Mark

  3. It’s not just PoF who store in plaintext.

    Friendfinder Inc also strore passwords in plaintext AND require the user to read their login password back as part of phone verification whenever calling into tech support.

    FF have been hacked many times in the last decade, with user personal and accounting information having regularly been stolen, however they have never reported such breaches to the californian authorities and continue to officially deny it’s happened.

    (I found out the same way you did – someone read the account and banking details back to me after i’d created a test account. I cancelled the card involved within 15 mins)

    I see PoF is also in california. Perhaps a phone call to the CoPP is in order…

  4. Actually everyone would agree that POF’s handling of this break in was very unprofessional and downright stupid. However I believe this “security researcher” has committed a felony by hacking into POF (and who knows what other sites) and by publishing his break in done huge amounts of harm to POF business. I’m not a lawyer but should have been the first person POF contacted, immediately followed by law enforcement.

    • Correction: I didn’t mean POF should contact me, I omitted the word “that”. POF should contact a lawyer and the police. It’s not too late if I were them. I’m also not blaming the messenger either. Great journalism Brian.

  5. @nogero
    Pof claims to be a FREE dating site. As for the business aspect, some ads show up/or hide parts of profile pics. That’s good business?

    Now members have to pay for features that used to be Free. Down the road I see a Paying subscription coming. Pof needs to stop advertising 100% FREE.

    Yes Pof sends text emails of passwords. I’ve gotten them.!

    Users were NOT notified of any security problems or what was going on. I didn’t get an email. I had to find out by going to the Help Forum. The forums are hidden now (no links to them on profile pages or anywhere else) only older users know they exist. What about the newcomers signing up lately? They would have no clue what’s going on.

    In a way I’m glad someone looked into how this site is operating. Just don’t know how users will see or know indications their accounts are at risk. Pof wont tell us

  6. I am a member of the fish site (which I have seen elsewhere referred to as the “Sausage factory”) and find online dating in general a great way to meet new people. Working in the security sector I was stunned therefore to receive this email from POF:

    “Hello ,

    your NEW password is ,

    As a security precaution we have reset everyones password on plentyoffish. If you used your plentyoffish password elsewhere we suggest you reset it. Even if you didn’t resetting all your passwords every 6 months is a good idea. We did this after a hacker came to us telling us he had access to our data.

    For further assistance with changing your password please see our help page: http://www.plentyoffish.com/faq_login_out.aspx

    No apology for crap security, no sense of ownership for the sheer size of the problem they have created (especially when you consider it has been shown many people use the same password for pretty much everything!).

    The completely clavier attitude is astounding – I must go review what privacy / data protection laws apply in Canada….

    • POF user since 2007

      I got the same email with my new password in clear text. The security practices used on POF predate when the site was first put online. This is because the CEO is the coder, security agent, tester, marketer, etc. Even the moderators in the POF forums are “volunteers” and get no $, despite the huge profits Frind speaks of in the Inc. magazine article I cited. Little of the $ earned by Frind has been re-invested in the site.

      To one degree I agree with his strategy that less is more (esp. with respect to profit). However, your comment points out that ethics seem to suffer.

      Match.com got sued recently because of lax security (allowing fraudsters to make fake profiles, not deleting old profiles to make it look as if more people were on the site, etc.). I wonder if it’s possible that some lawyer will run after POF after this incident. The problem with having lots of users is that class-action suits have more weight.

  7. Regardless of security controls at POF or any other site, it is not an excuse or reason to hack into any website or system. I’ll be we’ll read lots of rationalizations for doing it. The fact is hacking into websites unauthorized is illegal. This Russo is trying to make himself famous and get jobs by hacking into well known websites. I hope the guy and those like him get busted. I am fairly certain Argentina is not too far away for prosecuting hackers, so good luck to you Russo. You are a crook. I’m sorry you took that approach. Maybe some company will hear about your exploits and hire you. It won’t be the first time. I find it amazing that many readers think what he did was OK.

  8. basket lotion in the

    plenty of lotion and a strong right hand = success!

  9. I don’t know about anybody else, but I’m getting really tired of the cesspool of a world we’ve become. The tech geeks take revenge at long last upon the “stupid” non tech geeks. How refreshing. We’ve created hell.

    Granted, security protocol at POF, as at a gazillion other sites, is poor. But on the other hand, it seems like the increasing attitude is that if you don’t somehow stoop to the level of cesspool cyber crime, you are the criminal. If hackers want to “help” by exposing a security hole, they can start doing it responsibly. The world could use their help. And, God only knows, average Joe internet user could sure use a wake-up call. Otherwise they’re just thugs.

    I don’t know of many business owners that actually want to be in the primary business of cyber security and anti-hacking. Yet it’s becoming more and more the neccesity.

  10. To Nogero…I haven’t read in any of the comments that the commenter thought it was alright that Russo hacked into POF website.

    Who called this guy, in your words “a security researcher”? Certainly not Brian!!

    “Argentina is not too far away from prosecuting hackers” Yea, so is China & Russia et al. Your check is in the mail, etc.

    Thank you Brian for your site

    Dennis

  11. POF user since 2007

    Frind is mostly concerned about how much $ is coming in from his ads, which have been very successful. I have complained many times about unethical ads that display, such as those for illegal pharmaceuticals for men. On the POF forums I have asked about ethics of ads, and there doesn’t seem to be much response. This “free” web site is geared towards displaying as many ads as possible, to get clicks.

    You can read all about his attitude on this article from 2009: http://www.inc.com/magazine/20090101/and-the-money-comes-rolling-in.html

    Here’s a quote summing up POF and Frind:

    That’s a lot of personal ads. “One-point-six ba-hillion,” Frind says slowly, smacking his lips on the hard b. “There are maybe 10 sites in the U.S. with more than that.” Five years ago, he started Plenty of Fish with no money, no plan, and scant knowledge of how to build a Web business. Today, according to the research firm Hitwise, his creation is the largest dating website in the U.S. and quite possibly the world. Its traffic is four times that of the dating pioneer Match, which has annual revenue of $350 million and a staff that numbers in the hundreds. Until 2007, Frind had a staff of exactly zero. Today, he employs just three customer service workers, who check for spam and delete nude images from the Plenty of Fish website while Frind handles everything else.

  12. I am starting to get it now. This is a security blog just like the hacker is a security researcher. Brian do you actually endorse your little ‘Like Disklike’ comment voting system? It appears those who approve of breaking into websites and companies are Liked and those who object are Disliked.

    Oh I get it. They have declared POF a “grease bag” and numerous other rationalizations so it is OK to hack into that website. Unbelievable. This website is becoming a security septic tank that appears to be frequented by hackers more than legits concerned about security. Wow, it is amazing Brian likes the direction and reputation this blog is headed.

    • Dear nogero;

      I gave you a “Like”. I hope that makes you feel better! :D

    • Nogero,

      You’ll find that I am not the most active forum participant, even on my own site. I’m trying to change that, but there it is.

      I very seldom try to steer the topic of discussion, and almost never remove or edit posts (unless they are spammy or amount to a serious personal attack against someone). Also don’t do a lot of voting thumbs up or down. I prefer to let readers do that.

      I think there is a very good mix of folks on this forum, from hardcore security experts to those who are merely trying to get help and insights into how to stay safer online. And judging from my referrer logs, there are certainly criminals and crooks-in-training reading my blog, and probably also commenting here. As long as they’re polite and don’t abuse their stay, they’re just as welcome as any other reader.

      • Good to hear Brian. It’s obvious from this comment section that criminals are removing posts of legits by means of voting, thereby encouraging illegal activity. That should give you a bit of concern I should think.

        • POF user since 2007

          @nogero: “removing posts of legits”? If you refer to your post above where you passed scathing judgment on Russo and any white-hat hackers and got voted down, then I think it’s more about your attitude and the use of the word “crook” than anything else. The fact is that those people read the posts and can vote. Try using more honey than vinegar in your posts and see if you get more thumbs up.

  13. @ POF since 2007 Actually it wasn’t my post removed that set me off, but I see they have taken out my posts too. When I saw @Tiredofitall comments removed before I had a chance to read them I got alarmed considering the general tone of this thread–where those approving of criminal activity outnumber those who disapprove and remove posts. Russo is no “whitehat hacker”. He is a criminal hacker who went for a publicity move. Do some research yourself. Your “pass judgement” argument is cracked anyway since the majority, including you pass judgement that POF deserved to be hacked for reasons such as: he’s a greasebag, he’s making lots of money and gloats about it in magazines, he uses plain text passwords, his website doesn’t meet your measure of security. Those may or may not be true, but it is irrelevant to the fact that Russo committed a felony. Its bad precedent. That is my point.

    Just who is the “honey” or “vinegar” intended for, @Since?

    • Interesting nogero:

      Do you see anything wrong in calling “criminal hackers” by their real name “crackers”?

      I tend not to like to soil the original benevolent meaning of the word hacker.

    • If your point is that Russo sets a bad precedent by exposing the vulnerability and disclosing it to the person most capable of addressing it I would have to disagree. I think it sets an excellent precedent.

      Take the Heartland data breach for example, if someone had identified that vulnerability and notified them in advance it would have saved them literally millions in direct cost. And untold millions in costs to other affected companies and the savings to their reputation as well.

      Site owners can’t be recklessly negligent with the information their customers provide them. Because the average consumer can’t validate a site’s security for themselves some people take it on themselves to do so to “protect the innocent”. Russo found a critical vulnerability in the site and brought it to the attention of the site owner. Had POF addressed the vulnerability in a timely manner and moved on this would have been a non-story overall. But they made the choice to call out Russo as some sort of malicious hacker. But by their own account almost no information was taken, it can’t be both ways? The only person who set a bad precedent here was the site owner, by not appropriately responding when a security issue was brought to his attention.

      Believe it or not I am not a criminal either, but do occasionally down-mod comments ;)

  14. @JCitizen

    How about “felon”?

  15. @nogero, perhaps you didn’ t explore the original sources. This is what Russo said he did:

    “The Last Friday 21 of January, we discovered a vulnerability in http://www.plentyoffish.com exposing users details, including usernames, addresses, phone numbers, real names, email addresses, passwords in plain text, and in most of cases, paypal accounts, of more than 28,000,000 (twenty eight million users). This vulnerability was under active explotation by hackers.”

    The important thing to notice is the last line. He may have found a vulnerability, but he was not the first person to do so. Previous crackers had already used the vulnerability and were distributing the usernames and passwords to other criminals around the internet. At that point Russo could do one of two things. He could either send an email saying, “Some guy said he hacked your site, and I don’t know if it’s true or if he’s full of it, but you ought to look into it” and I can guess what the likelihood would have been of Frind taking that seriously. Or he could test the exploit himself, using his real name to make sure his honest intentions were clear, then give Frind useful information about what was compromised and how it was done. The information was already out the door. Russo couldn’t threaten to give away what was already lost. All he could do was try to whop the owner upside the head in a way that would convince him of the urgency of notifying his 2.8 million users that they need to start changing passwords on every site that uses the same username/password combination. And apparently, he still didn’t hit him upside the head hard enough to make that message understood, from what other POF users are saying about the lack of communication from Frind.

    • I think you’re exactly right here. There is no reason to believe that Russo had malicious intent in what he did. He found a vulnerability that was being exploited it and reported it. I see so many people here commenting on how he was in the wrong – but what exactly did he do that crossed the line? There are people who’s jobs are to see if their company can be hacked – to find the flaws… others who you can hire to do the same thing… are his actions wrong because he wasn’t hired to look into it? are the actions wrong because he sees an exploit being used by those with malicious intent and he doesn’t just turn a blind eye and ignore it? are the actions wrong because he verified it before reporting it? or are they simply wrong because people jump on the word “hacker” and assume it’s illegal activity? or perhaps simply because of POF’s response while they were trying to cover themselves from being liable for their lack of security?

  16. Glad to see that all opinions, even when stated rationally, are welcome on this blog.

    I would have thought that the Washington Post years would have left a mark of at least minimal journalistic integrity.

  17. Brian-

    Great blog, but you really need a ‘Print Article’ feature. Especially when you already have a button for every social network known to man :)

    • Never mind, turns out I’m a moron and you do have that feature already. Maybe feature it a bit more prominently, so people who come to quickly print something for class (see: me) can easily find it? I guess it’s just me, but I don’t think ‘Print’ and ‘Share’ (in the social network sense, at least) as logically grouped together.

      Just my 0.02. Thanks for the solid reporting, KoS is a cornerstone of my RSS netsec group.

  18. Iaiaiaiaiaoo – that’s just human.

    Okay. It’s trolling around to warn users from this pages eh ?!

    ~d3wd

  19. Well, it is quite an interesting story to say the least. I myself have been an off and on again user of POF and have recently given up due to the fact that their security and their customer service is a complete farce. So if there was a security breach, it certainly does not surprise me considering some to the many strange occurences that have been part of my own experience on the site. I know for a fact that my profile was constantly being monitored and that some sort of false information about my life was somehow being relayed to potential dates. I am not a computer person but even if a site is free, you would hope that any private information pertaining to yourself or what others percieve they know should never be allowed to be forwarders for others to see and read. I must sadly admit that I have encountered so many strange date occurences whereby people seem to know or have had information relayed to them through the internet via moderators or potential govt. hackers or mafia hackers. I would truthfully love to hear some advice on how I could find out who is the perpetrators of such private injustice.

  20. The ill informed fail to see how fragile and weak the internet truly is.

    It was conceived, designed and built by those who had a degree of integrity and idealism about them, yet alas, were somewhat cloistered in a world of trust populated by people of good will. Not any more.

    Then the military stepped in, but they (the inventors of the internet circa late 1970s) retaliated by leaving out of the picture book of instructions (which is what the stumpy fingered needed so as to understand it all, ie, the ‘cloud’) those magic few pages about how the ill-willed and twisted could make merry from within the streams of bits and bytes. Plus the best is always held back to the last – any smart kid can go places the adults fail to secure, down to their level.

    So, when the kids and pups cook up an online business model made from the sum of their own experiences, then it is by definition, lacking maturity.

    The after the military came the advertisers, then the media sellers, which is why the banner advert world is now worth more than we have zeros to describe it.

    An individual on a quest to make as big a pile of money as is possible, will always have weak heals. Plus the feathers won’t work with wax, but don’t tell them that.

    Just ask Achilles or Icarus.

  21. sherunswithscissors

    Shit only runs one way. Garbage in, garbage out.

  22. I just tried to create an account @ pof.com and wasn’t able to. I received messages like “your password is too easy” (which it wasn’t), “create a user name without” and it listed several “special” characters – none of which were in the user name, “we already have an account with that email address” and I had never registered, etc. There were other nonsensical things that happened.

    My guess is that someone is having fun hacking the site.