31
Jan 11

PlentyofFish.com Hacked, Blames Messenger

Hackers have breached the database of online dating site PlentyOfFish.com, exposing the personal and password information on nearly 30 million users. In response, the company’s founder has implied that the editor of KrebsOnSecurity.com was involved in an elaborate extortion plot.

Getting hacked is no fun. Learning that you’ve been hacked when a reporter calls is probably even less fun. But for better or worse, I have notified dozens of companies about various breaches over the years, and I’ve learned to read between the lines in how victims respond. Usually, when the company in question replies by implicating you in an alleged extortion scheme, two things become clear:

1) You’re probably not going to get any real answers to your direct questions about the incident, and;

2) The company almost certainly did have a serious breach.

Earlier this month, I was contacted by an Argentinian hacker named Chris “Ch” Russo, who said he’d found flaws in pof.com. In July 2010, Russo had alerted me to some security vulnerabilities he’d claimed to have found in the Web site of ThePirateBay.org, which he said exposed password and other data on millions of TPB users. On Jan. 19, I heard again from Russo, who told me he and some friends had found bugs in pof.com that let them view account and password information on any PlentyofFish user. He said the information was being circulated in the hacker community, and that he could prove the flaws existed if I simply created a free user account on the site. I did so, and Russo proceeded to read me my registration information.

That was enough for me to fire off an e-mail to pof.com Founder Markus Frind. When two days elapsed and I still hadn’t received a reply, I asked Russo if he had any other contact information for Frind or other pof.com administrators. Why sure, he had them all, he said. He gave me the phone number of Frind’s friend, Annie. A woman named Kate answered when I called, but said she would relay my message.

For the past 10 days, Frind has promised a response, but otherwise dodged my emails. I began actually writing up a blog post about this hack yesterday. This morning, I awoke to find a rambling blog post that indirectly accuses me of participating in an extortion scam, before mildly backtracking from that claim. At one point in Frind’s post, he says he grew particularly alarmed when he saw that Russo and I were “friends” on Facebook. Good thing he didn’t check the kinds of people I’m following on Twitter: He might have really had a heart attack!

Part of the reason pof.com has a problem is because its database is insecure. POF claims to have closed the security hole and reset all user passwords. But on top of that, the company appears to store its customer and user passwords in plain text, which is a Security 101 no-no. Companies that fail to take even this basic security step and then look for places to point the finger when they get hacked show serious disregard for the security and privacy of their users.

Tags: , ,

89 comments

  1. It seems like Markus decided that rather than respond to the breach in effective manner he would rather point fingers at anyone he can. This is a great example of poor security and incident response practices. The comments on his blog now are also not in his favor… I wonder what it takes for a person to recognize they made a mistake and take steps to correct it.

    Either way, great work Brian

    • Agree with you, helly. It’s quite stunning to me that rather making an official statement on behalf of POF, Markus is writing first in his personal blog. I haven’t read other blog posts of his, and probably never will, but that one was a very poor, un-convincing and un-apologetic. He / his site was obviously pwned but shifting blame away from himself is lame and un-productive.

    • According to Markus evidently the breach was much smaller then advertised:

      “We are aware from our logs that 345 accounts were successfully exported.”

      Oh and the “The breach was sealed in minutes”

      He also has an update on his blog saying that Krebs wasn’t a part of this. It looks like someone finally told him his absurd ranting and threats were bad for business. Even if he is telling the truth (uncertain), this a great case of the Streisand effect. His blog and email outbursts may very well have caused more damage to the company then the “hackers”.

    • Brian, typical lazy reactionary web reporting. You start a story after being contacted by a hacker and then create a wave of negative imagery directed at Frind based on “I’ve learned to read between the lines”… you are an ambulance chaser! Hey, what’s a story without a little guesstimating right?

      Should we be standing and applauding Russo for hacking POF and then trying to turn this illegal activity into a job? (and I am giving him the benefit of the doubt by not accusing him of extortion) POF’s security weaknesses are one thing, to take issue with how a COO reacts to being violated is chicken sh*t. Blame the victim. Nice. Are you Republican?

    • POF user since 2007

      @Helly Amen. POF is a one-man show, and that one man is a one-trick poney. Read the Inc. magazine article about Frind if you want to get a better idea.

      As for hurting his business, actually the reputation of POF is not so key because it’s free. Dating sites are a fad, and I’ve met some interesting people on POF, despite the crappiness of the site. As long as lots of people are there, it’ll have value.

  2. I think pof.com is free and doesn’t contain payment data (but does contain emails). But it should be a significant warning to paid dating sites to protect their infrastructure accordingly.

    And as a note to pof.com users, I sure hope your user names and passwords weren’t the same as your email, online banking, or other sensitive sites! If I were a bad guy, that’s the first thing I’d be exploiting!!!

    • Actually, they do have a payment system. There are certain aspects of the site that have gone pay. So yeah, they’re not off the hook for payment data.

      • Shows how much I know! Then this is a much bigger deal. POF needs to own up and notify the users and the banks. 30MM accounts is nothing to sneeze at. Hopefully it’s only a small subset who are paying subscribers. According to the Russo article, it looks like PayPal data. What other methods of payment are impacted?

    • even if pof.com had nothing but non-sensitive info about users a compromise of their servers would provide an opportunity to launch attacks against their users from a trusted platform.

  3. I nthe wake of breaches, last week published a guide to help prepare and respond to breaches and data losses, 2011 OTA Data Breach & Loss Incident Planning Guide https://otalliance.org/news/releases/DataBreach1_25_11.html

  4. It would be nice if we could see the author’s name above the article or below it or something… do I have to read the CEO’s blog to find who is “indirectly accused?”

    • Hi Don. There is a rather large banner at the top of the page with my name and picture on it.

      In any case, apologies for the “author” usage. It’s a holdover from writing in a much more formal style.

    • You’re kidding, right Don? Either that or you have the deductive reasoning and search skills of a doorknob. KREBSONSECURITY should have been the first hint. Upon being unable to get over that wall, the “about the author” link may have been a good choice.

      Goof…

  5. It looks like the usual knee-jerk reaction. Rightly or wrongly, POF’s boss is reacting to cement the perception that he’s a victim and that this trouble was unavoidable or maliciously brought on. If they keep a legal team, chances are they’ll tell him to sit quiet until a better release can be made. He probably posted on his own blog instead of the official so as to sidestep any restrictions placed on responding to the incident.

    I don’t know about Chris, but I imagine the emails from Brian Krebs will show that he’s trying to help. Nobody wants to be up for a libel lawsuit, especially when angry users respond to the breach.

    The concerning thing about this breach isn’t about the website, but rather about the users who have posted so much personal information and then the usual password/user name recycling. As an earlier poster said, financial information is probably at risk. The longer it takes for an official response to notify users and get them to change their user names and passwords at other sites besides POF, the worse it will get.

  6. @George, Actually if you read Frind’s other blog posts, you’ll see that he’s really not a very good representative for any company that actually wants positive PR.

    I’m actually more inclined to recommend against using POF due to Frind’s blog posts than due to his web developers’ failures.

  7. Don’t be soy coy, Brian. Clearly this post is intended to divert suspicions that you are, in fact, part of secret online protection racket run by AdultFriendFinder and eHarmony. What’s that? No one px ad space with a free redirect to our sites to artificially boost exposures? Won’t host my innocent looking Flash ad/exploit? Then get H4xx0r3|)!

    But a serious question Brian. Does it sound like POF.com is actually receiving extortion demands related to this incident (or possibly other incidents)? But if they’ve already dropped the username/passwords what else could they be threatening? Usernames/passwords correlated to real identities?

  8. I can understand why he is lashing out. It would be hard to hear that your site was hacked and you are the responsible party as much as anyone else. The first inclination would be to point the finger at anyone but yourself in order to alleviate your guilt.

    I can’t imagine being reponsible for losing that many passwords due to not following basic security rules. It makes me wonder how many sites out there aren’t hashing their passwords. If there’s more than a few, we have BIG problems.

    • I have often thought there should be federal legislation requiring websites & the like to disclose how they store passwords. Let them store cleartext (or recoverable ciphertext, which is nearly as bad), but force them to disclose that fact before asking anyone to choose a password.

      Another noteworthy tidbit: according to his TechCrunch profile, Marcus Frind has a degree in Comp Sci. He certainly should know better about password storage!

    • As a rule of thumb; any site which returns your current password after using a “forgot my password” button should be considered to be storing passwords in an insecure method.

      I expect that to be quite a lot of sites.

      Couple that with a hole which allows your raw database to be readable and you have the troubles which we see here.

  9. I read this post/article with interest after first being alerted to the situation via my daily bowl of Captain TechCrunch. As a former user of POF (no luck/no love; yea for the five letter one that starts with M), I have to say that the reported actions/stance of Marcus…100% fit the brief (rude) experiences I had with him via brief internal email messages within his site. Regardless of the veracity of these reported hacks, holes or a-holes…it’s a great reminder that you certainly get what you (don’t) pay for in many more (or less) ways than the obvious…

    • Wow those are some saucy email threats that POF sent to Russo. This whole fiasco looks like a comedy of errors by fairly unprofessional people. I have this reservation about Russo types. I want to thank him for finding flaws, but then think it is kind of creepy that he treks around the internet trying to break into other websites. There is something unclean about that approach.

      I agree this wouldn’t be much if they did not keep plain text passwords. 30 million users demands some serious security effort.

      • Would you feel better if the only people looking for security holes were the ones who steal and sell/use the data for fraud?

        • I don’t see that logic. I would feel better if people trying to break into systems were arrested and held accountable. Russo approach is analogous breaking into a bank and then telling everyone you did it just to see how good their security was. At that point Russo is nothing but a hacker, not a hero. He tries to set a precedent that says anyone can try to hack into any site, if you get caught just tell them you are a security researcher. Good luck with that.

  10. Talk about a lesson on how NOT to handle a PR disaster. Shame on you POF.

  11. Glenn Fleishman

    I wonder if you could start a site, Brian, called, “It’s really easy to encrypt your passwords in your databases, and you should do it.” And then offer a one-day seminar for $995 in which you bring in a couple of database experts who essentially provide a few lines of code and explanation and spend the day HITTING CIOS AND CTOS IN THE HEAD with it.

    I run a few relatively small sites with thousands of users. It would never occur to me to store a password in the clear. There is no reason, and it is trivial to store it in a reliably safe fashion, subject only to poor password choice brute-force attacks. (Which can be limited by setting password requirements for users.)

  12. His post is a rambling joke. The reaction is a shame as there is no sign he actually cares about his users security or has any interest in doing what’s right. It’s a CYA reaction that will do much more harm than good in the long run.

  13. All my passwords are /double/ rot-13 encrypted!

  14. So why is it ok for Russo, who admitted he and some friends hacked the pirate bay, to hack and gain access too (possibly being the leak to the internet) POF and hang around in thier servers telling you your user and pass info?
    You make no mention of why its wrong to hack sites then tell the world about it. Was a cookie to be expected?

    • It’s because he didn’t tell the world about it. He contacted the owner of the site first, which was the right thing to do. If you found a vulnerability in a site, it would be wrong *not* to report it.

  15. I see chief the old shoot the messenger trick. Hey Rob if we start fingering the whistleblowers for taking the risk of sticking their necks out then we can go blithely on pretending there are not problems. Craig welcome to Krebs I see you rate just slightly better than my first encounter. We may have our differences with journos and activists but that is what they do and really we should be thank full it is always difficult to avoid misdirecting anger in this case it should be the criminals who are dealing in the information but really the network owners in this case sound like they have a lot to answer for pity they would not engage with Krebs so their side of the story was told.

  16. I don’t know Markus at all but as an entrepreneur I admire the fact that he has created a VERY profitable business w/ very little resources…

    Markus does mention in his post, “Now that it’s mostly over I don’t think Brian Krebs has anything to do with these two.” In his benefit, he was probably just freaking out after being hacked… I know I would freak.

  17. I had a difficult time understanding the grumo media article. What was the talk of a business plan? The flaw was reported to the company, the company fixed it. “The vulnerability was fixed and they remain in contact with us, since they were interested in hiring us as security professionals in order to make an analysis of the plataforms.” I got the impression from Frisk’s threatening message that Russo was trying to get some money in exchange for not releasing the data and/or for reporting the security flaw. Is this normal practice for a “security researcher”?

    I don’t think I have all the facts yet about what has actually gone on between both parties.

  18. The plentyoffish website is under heavy enough load, or is being blocked, so that I can’t delete my account.

    Maybe everyone else is doing that, too.

  19. I use POF occasionally but I certainly don’t consider it to be secure or private. Any site that emails you your password in plain text every month obviously has no semblance of security.

  20. I would like, one more time, everyone, please read this part:

    If this data goes public I am going to email every single effected user on Plentyoffish your phone number, email address and picture.
    And tell them you hacked into their accounts.

    Then i’m going to sue you In Canada, US and UK and argintina. I am going to completely destroy your life, no one is ever going to hire you for anything again, this isn’t piratebay and we definately aren’t fooling around.

    My name is chris russó, I live on Buenos Aires, Argentina, I’m 23 years old, I’m a security researcher, I informed Markus about the vulnerability, and if anyone, wants to see a picture of me: http://www.about.me/chrusso

  21. Markus’ blog is a master’s thesis on for a psych student that practically writes itself.

  22. You guys seem to put a lot of faith in encrypted passwords. Having them will slow the bad guys down, but won’t stop anyone. Done poorly, it won’t even slow them down.

    Yes, use them. But the first order of business is to keep the bad guys out of the database!

    • Encryption done well? I would use something like a standard passowrd object in mysql, postgres or others. Shouldn’t that be encrypted satisfactorily?

  23. Dude the exact same thing happened to me when I broke the unhappy news to Hell Pizza in New Zealand last year. I had journalists from the NZPA and Herald on Sunday ringing me to ask why I was trying to shake them down.

    Happy days.

    Funny thing is a couple of weeks later when they realised I’m not Lisbeth Salander they mellowed and seemed quite nice.

  24. Markus is an awful person. I have dealt with him as a former POf user. Not a nice guy at all.

  25. SourceForge did it right:

    http://sourceforge.net/blog/sourceforge-net-attack/

    But then; their example shows that even the best get cracked; (not hacked).

  26. Remember what happened with the Gawker breach? It wasn’t do much problem that people’s Gawker accounts got hacked, but that their email addresses and passwords were revealed.

    If you have 30 million email addresses and passwords, then you can bet that a lot of those are used on other sites too. It won’t take long for someone to exploit that..

  27. Well, I would never use POF.com but do know enough about online dating companies to share that the reaction from POF.com should be a red flag to their user community to leave the site for match, chemistry, e-harmony, lavalife or whatever. The response from the top should be that of concern for the users first, then shareholders then the company itself. Instead, this Markus person is responding just like a mad 10 year-old would when someone doesn’t share his matchbox car in the sandbox. If you are on POF.com, do the world a favor and delete it! If there’s not a facebook fanpage for POF deletions I am sure there will be soon! Gr8 job as always Brian! Your reporting is always right on!

  28. I would imagine that, absent some sort of unique matching algorithm, a dating site’s main value lies in its user base.

    It seems to me that risking the confidence of your users by not taking elementary precautions is very foolish, from a purely business p.o.v.

    If so, the CEO is willing to bet a significant chunk of his business’ value that his users do not care about security and thus will stick around despite this breach, or he himself was unaware or unconcerned about this issue. The former suggests someone who is quite risk-tolerant. The latter, someone who is rather too aloof, IMO.

    Of course, a profile I read yesterday ( http://www.inc.com/magazine/20090101/and-the-money-comes-rolling-in.html ) said he works 1 hour a day, so he simply may not have had time to become aware of these matters.

  29. Whitehat by day, blackhat by night eh Brian? Were on to you buddy! hah.

    Oh yeah, Chris says the following in his Grumomedia interview.

    “because there was a serial killer, murdering people from the website.”

    Yet on one has commented on THAT.