Hackers have breached the database of online dating site PlentyOfFish.com, exposing the personal and password information on nearly 30 million users. In response, the company’s founder has implied that the editor of KrebsOnSecurity.com was involved in an elaborate extortion plot.
Getting hacked is no fun. Learning that you’ve been hacked when a reporter calls is probably even less fun. But for better or worse, I have notified dozens of companies about various breaches over the years, and I’ve learned to read between the lines in how victims respond. Usually, when the company in question replies by implicating you in an alleged extortion scheme, two things become clear:
1) You’re probably not going to get any real answers to your direct questions about the incident, and;
2) The company almost certainly did have a serious breach.
Earlier this month, I was contacted by an Argentinian hacker named Chris “Ch” Russo, who said he’d found flaws in pof.com. In July 2010, Russo had alerted me to some security vulnerabilities he’d claimed to have found in the Web site of ThePirateBay.org, which he said exposed password and other data on millions of TPB users. On Jan. 19, I heard again from Russo, who told me he and some friends had found bugs in pof.com that let them view account and password information on any PlentyofFish user. He said the information was being circulated in the hacker community, and that he could prove the flaws existed if I simply created a free user account on the site. I did so, and Russo proceeded to read me my registration information.
That was enough for me to fire off an e-mail to pof.com Founder Markus Frind. When two days elapsed and I still hadn’t received a reply, I asked Russo if he had any other contact information for Frind or other pof.com administrators. Why sure, he had them all, he said. He gave me the phone number of Frind’s friend, Annie. A woman named Kate answered when I called, but said she would relay my message.
For the past 10 days, Frind has promised a response, but otherwise dodged my emails. I began actually writing up a blog post about this hack yesterday. This morning, I awoke to find a rambling blog post that indirectly accuses me of participating in an extortion scam, before mildly backtracking from that claim. At one point in Frind’s post, he says he grew particularly alarmed when he saw that Russo and I were “friends” on Facebook. Good thing he didn’t check the kinds of people I’m following on Twitter: He might have really had a heart attack!
Part of the reason pof.com has a problem is because its database is insecure. POF claims to have closed the security hole and reset all user passwords. But on top of that, the company appears to store its customer and user passwords in plain text, which is a Security 101 no-no. Companies that fail to take even this basic security step and then look for places to point the finger when they get hacked show serious disregard for the security and privacy of their users.