PlentyofFish Hacked, Founder Emails Hacker's Mom 367
hellkyng writes "The online dating site PlentyofFish was hacked, and purportedly 30 million customer records were stolen. The site's founder, Markus Frind, is blaming the security researcher who discovered the vulnerability and the journalist who confirmed the issue."
The researcher who reported the vulnerability is Chris Russo, one of the guys who hacked The Pirate Bay last year. He explained his side of the story as well. Mr. Frind says he tracked down Russo's Facebook page and emailed his mom.
should not affect slashdot crowd (Score:5, Insightful)
should not affect slashdot crowd since they do not date.
Re:should not affect slashdot crowd (Score:5, Funny)
On the contrary, I recently experimented with online dating myself. In my experience, the site should actually be called "plenty of whales" though...
Re: (Score:2, Informative)
Re: (Score:3)
Yeah..I was looking on there the other day, and WOW...there are a lot of BIG women on there.
Hard to find anything worth hitting on on POF.
Frankly, I don't buy enough flour really to 'use' on those women I've seen on that site, and I tend to shop in bulk at Sam's clubs......
Re:should not affect slashdot crowd (Score:4, Interesting)
You must have seen my little sisters profile, she will kill me if she know I was joking about her.
She keeps telling me about how I can meet a nice girl there after breaking up with my whore ex.
Right after she tells me about all the dirty old men, halfwits and creeps she has to filter through.
Re:should not affect slashdot crowd (Score:4, Insightful)
My wife and I met via online personals. She was telling me that about 95% of the emails she got were from men with user ID's along the lines of "Bigpenis69" and "Bigstud72" and the like. That's the reason why she even talked to me, because I didn't have a name that was in any way reflecting my supposed virility. I have no trouble believing that most of your sister's replies come from old, creepy dudes.
Also, regarding the "plenty of whales" comment above... it amuses me to no end that many lonely geeks and nerds will judge less attractive women to be not worth asking out, only to turn around and moan and whine when attractive women use the same methods to exclude them from consideration.
Q: "Why don't pretty women like me?"
A: Because they're just as shallow as you are and judge as much by appearance as you do.
Re: (Score:3)
Re: (Score:3)
Re: (Score:3)
stopputtingbutterinyourface?
Re: (Score:3)
it's because they have to
Re: (Score:2)
What? Fat chicks need love too... but they gotta pay. [/quagmire]
Why should I date someone I'm not attracted to? (Score:3)
Seriously?
You call dating based on physical attractiveness shallow... Fair enough. I would counter with the question: Why should I date people who aren't attractive to me? Why is physical attractiveness any less important than emotional attractiveness? I'd agree that it's shallow to date on looks alone... But speaking as someone who has tried having romantic relationships relationships with people he isn't physically attracted to, I can say that it doesn't work any better than a relationship with someone I'
Re: (Score:3)
Being overweight is a matter of input vs. output, no matter the circumstances. It just might be a lot harder for some because of the reasons you mentioned, but not impossible.
People that gained weight on 1500 calories a day could, if anything, save money on food. As long as they're gaining weight, they're not starving.
Ask yourself: would these people lose weight if they'd only be eating a single leaf of lettuce per day? Yes, they would, otherwise we'd have found a simple solution for everyone in Ethiopia an
Re: (Score:2, Insightful)
Perhaps your little sister is indirectly trying to tell you that she thinks you are a half-witted creep?
Re:should not affect slashdot crowd (Score:4, Funny)
When I first saw the site, I thought it was Plenty Offish :-D
Re: (Score:2)
Re:should not affect slashdot crowd (Score:4, Funny)
I tried online dating once.. Let me tell you something, the online part is just to lure you into it. They expect to see you in real life,.
God I miss the good ole days when cyber actually meant phone sex over the interweb.
Re: (Score:2)
Ha ha ha, ha ha ha, ha ha FUCKING HA.
makes sense (Score:5, Insightful)
Re:makes sense (Score:5, Funny)
What's worse, after his Mom reads the e-mail, she'll probably kick him out of the basement!
Re:makes sense (Score:5, Funny)
Re: (Score:2)
Dang it!
Re: (Score:2)
Re: (Score:3)
I find it sillier that they choose to refer to themselves as "security researchers". I mean, if you're going to hack websites and then brag about it to the website to rub their faces in the fact that you defeated their security, go ahead and call yourself a "hacker". Don't try to perfume the turd by pretending that you've got some altruistic motive.
I've met quite a few of these "whitehat" types and of them all, o
Re: (Score:3)
The "hacker" found a weakness in the websites security and exploited it. Then the website found a weakness in the hackers security and did the same in turn. You'd think the hacker in question would be a little more secure about their own personal information.
Disturbing! Finding his Facebook page is quite an impressive hack. Then emailing his mom - wow man - that will definitely scare him off. One hacker down!
Re: (Score:2)
You should read the articles linked in the summary - quite an entertaining read. Chris Russo comes off looking like the victim, and the dating site (which appears to be the same to dating sites as blogs are to serious journalism) founder comes off looking like a complete jackass.
Re: (Score:2)
The articles linked in the summary? The PoF blog says stuff like
On January 18th, after days of countless and unsuccessful attempts, a hacker gained access to Plentyoffish.com database. We are aware from our logs that 345 accounts were successfully exported. Hackers attempted to negotiate with Plentyoffish to âoehireâ them as a security team. If Plentyoffish failed to cooperate, hackers threatened to release hacked accounts to the press.
[Emphasis mine.]
It may be a while before a more objective view is sorted out.
Re:makes sense (Score:4, Informative)
Specifically, there's a link in the article to Marcus Frind's blog [wordpress.com], in which he claims in the same paragraph that "This was an incredibly well planned and sophisticated attack" and that "It took Chris Russo 2 days to break in; he didn’t even try to hide behind a proxy, signed up under his real name and executed the attacks while logged in as himself." Fortunately, Frind then "closed the breach if indeed there was one."
Now, it's entirely possible- since both of them obviously want to sound as cool as possible- that Chris Russo was hoping to land a security gig with POF, and said some things to suggest urgency and encourage Frind to hire him. But, frankly, Frind, on his own blog, sounds like a disjointed paranoid, talking about how damn clever he is for foiling this wily hacker. Who discovered the plaintext password storage the site uses. If they're both wankers, I'd still give credit to Russo rather than Frind. I use POF myself (with the requisite sense of shame), and the site's asking for password resets because "an argentinian hacker accessed the site." Oh, and here's the brilliant method of getting new passwords; first you enter your email (which an exploiter would already know), then you enter your current password (which the exploiter would know), and your new password. So I guess all the users are pretty much safe! :D
Re: (Score:3)
That *was* the traditional penalty (Score:5, Interesting)
Back when Cheswick and Bellovin were doing the original Bell Labs firewalls, and caught a Dutch teenager trying to hack into their site, the Netherlands didn't have any computer security laws that made it illegal. "So we called his mom...."
Password in plaintext email (Score:5, Interesting)
I was on the site for a while. It was always slightly clunky, but I'd prefer a free, one-man labor of love to a buy-in site that basically tries to promise sex for money. It was particularly helpful in helping me discover that I wasn't as bad as most of the creeps out there... and conversely, creepiness doesn't belong exclusively to those of the male persuasion. That was good to know -- it helped me realize that I need to be picky. (And my pickiness was rewarded many times over when I found my fiancee. In my Sunday School class).
But on the tech side, it irritated the living crap outta me that POF would send me a weekly e-mail with my password IN PLAIN TEXT. Every week, just as a reminder of how easy it would be to log in. Yeah, easy for *anyone* to log in as me and, if I were foolish enough to put important information on POF, to mess with my life. And, of course, if I were foolish enough to use that password for my bank account... well, I think anyone on this site knows the rest.
So I'm not at all surprised that someone found a way to hack POF. Sending a password in plaintext is bad, but not uncommon. Heck, T-Mobile does it. But sending it every week, unsolicited? I'm sorry to be rude, but that's just stupid.
Re:Password in plaintext email (Score:5, Funny)
Please confirm that you weren't the teacher, and she's not a student in this class...
Re: (Score:2)
Hot cougar sunday school teacher action!
Re: (Score:3, Interesting)
I used POF, and found its interface to be absolute shit. I still get emails from them on a bi-weekly basis, with password still in plaintext (after noticing this the very first time I immediately changed it to something more appropriate to something emailed in plaintext). The guy who runs it makes like $1mil+ a month in ad revenue, so I don't really feel bad about his baby getting hacked when he has the money to hire someone with half a brain.
Re:Password in plaintext email (Score:4, Funny)
But as you also said, it's one dude's project and the interface... well, it kind of shows it. I'm not surprised they're hacked. But honestly, these dating services are generally public anyway, so if these sites are not hacked, they're definitely farmed. The way I look at it... fuck it. I'm looking for titties!
Re: (Score:2)
And like you said, most of the competition is just deadbeat dudes. Pretty easy to beat. [...] Select your criteria, weed out the fatties and the uglies and email the rest. [...] The way I look at it... fuck it. I'm looking for titties!
Hmmm...and your definition of a 'deadbeat dude' includes what, exactly?
The competition may be tougher than you think...
(and it's 'voila', not 'viola'. That would be a musical instrument, or a flower.)
Re: (Score:3)
Apparently, just something as basic as having a job (especially one that doesn't include wearing a nametag saying 'Hi, my name is...') is a hard thing for women to find out there.
And apparently it is even harder to find men that not only have jobs, but have decent hygiene, wear decent clothes and have a personality greater than that of a small soap dish.
At least..that's what I hear from women out there. Having a job...really gets yo
Re: (Score:3, Funny)
You know, I've heard this repeated so many times, but I can't even get a response from girls on dating websites despite not only having a job, but a well paying job. Yes, I'm a nerd, but still. You'd think I could at least get a response... I'm going to go cry into a wad of cash now.
Re: (Score:3)
Buy more dice.
Re:Password in plaintext email (Score:4, Interesting)
Hmm....just how many girls on the websites are you approaching? You know, it is really a HUGE numbers game on the internet, maybe even more so than in real life meatspace.
Are you trying to contact 100's or more of women a week?
Make yourself out a basic 'template' of an email to use...with some spaces in there to maybe personalize your message a little bit...maybe to mention one specific thing you read about her (if you bother reading them, and don't go straight from looks). Anyway, use this basic 'canned' email and send it out over and over and over and over and...well, you get the idea. Heck, even send it to chicks you might not even be interested in, just to gage response. If it doesn't work...tweak it a little.
I actually heard some guys did the reverse engineering thing...they created a fictitious account as a chick, with good looking pics and all...just for the sole objective...of seeing what other guys were posting on their profiles, and the types of emails they were sending. Some guys doing this, even would have girls that were just friends, read what they guys were sending, just to see what they thought they as women would respond to.
The researchers used all this to tune their emails to women, and started getting a lot more response (of course, they STILL sent out 100's and 1000s of emails to women, but they were better quality emails.
Re: (Score:2)
Wow...treating dating like a corporate job hunt, form letter with demographic research and all. That's super-creepy man.
Re: (Score:3)
Re: (Score:3)
where does the sugar come in? I did think there was sugar in there somewhere.
Re: (Score:2)
Point taken, but if lusting after boobs makes me a deadbeat, then I know I'm not alone! As one of the replies said, deadbeats are the guys that don't shower, work, or have manners.
Re: (Score:2)
The competition may be tougher than you think...
No, its not.
I've been on the site, and while I wont go into details about the 'quality' of some of the women I've met, I can tell you for sure that I have zero problem getting the initial contact. On average, I'd say about 5-6 a week come in from my local area, from me doing nothing at all.
Granted, the pool of quality women is JUST as limited as the pool of quality men available to a woman is. But then again, I'm picky.
Re: (Score:2)
The creating an account page was broken when I tried the site, the tech support sent abusive mail, so I now regard them as a bunch of juveniles. A dating site that is actually usable has to be their first priority, competent and friendly tech support needs to be their next.
Re:Password in plaintext email (Score:5, Funny)
So you don't date? :-P
Re: (Score:2)
If site can email you your password, it is not just bad. It is sign of fscked up security. The only way of knowing your password is to store it in plain text or in some automatically decypherable form. If site sends you your passwords, you should ask them why password hashes are not used.
Re: (Score:2)
I didn't mind the interface. It was nice to see something simple. However, I left when he became more like Facebook in that to read any message you had to supply information such as your income level, occupation, and related matters.
While you could falsify the stuff, the problem came in when it was discovered that when you did a search, your results were based on what was on your profile. So if you said your salary was $100K, then whatever programming was done on the backside would limit your results to
Re: (Score:2)
The results would limit to other people who *themselves* made $80-110K, or to people who *wanted someone else* who makes $80-110K?
Re: (Score:2)
It would be limited to people who themselves made the range. So, if you made $85K and they made $80K, you would show up in each others search.
If you made $56K and they made $85K, neither would show in the others search.
I don't think there was a way to search for people within a salary range. I don't remember seeing anything like that. However, as I did mention, you could do a wider search from the homepage, when you weren't logged in, which would show you anyone who met your criteria regardless of salary
Re: (Score:2)
That's quite strange. I wonder why they do that. I don't think most people are totally uninterested others who are beyond +/- 10% their own salary. That isn't the case for me, at least.
I can tell you OKCupid is an infinitely better site interface-wise and functionality-wise, at least. Better than any other site I've tried. In particular, unlike practically every other dating site, they tell you exactly when people last logged in for free instead of playing games hiding that information to make you think the
Re: (Score:2)
OkCupid is fun even if you just sign up to wander around their quiz section.
Re: (Score:2)
But on the tech side, it irritated the living crap outta me that POF would send me a weekly e-mail with my password IN PLAIN TEXT. Every week, just as a reminder of how easy it would be to log in.
Oh, but it gets better: POF just now sent me an email notifying me of the breach, and sent me a *new* password, in PLAIN TEXT of course.
Your mom... (Score:5, Funny)
O_o
You know, that sounds about right.
Re: (Score:2)
Strange. I thought it sounded more like a line from Regular Show.
What I would like to know... (Score:2)
How would a "security researcher" know that a SQL injection bug was being actively exploited if he just uncovered the bug himself?
This sounds a bit odd as using a SQL injection to expose the users' details would require you to deliberately manipulate querystring parameters or form fields. The results will display in your own browser. How would he know whether anyone else were doing this? Was it because he really didn't uncover it himself but found the 30.000 users' details somewhere else?
No, this sounds a l
Re: (Score:2)
We only have the site owner's word for the claim that the hacker claimed it was actively exploited.
Does this web site operator really strike you as the most trustworthy of characters?
(Not that we have any reason to trust Mr. Russo either -- that's the point, it doesn't have to be black and white.)
Take a step back and look at the few things we DO know:
- The site employed poor security practices
- The site was hacked
- The hacker contacted the site owner
Anything beyond this is at this point hearsay.
Re: (Score:3)
We only have the site owner's word for the claim that the hacker claimed it was actively exploited.
Does this web site operator really strike you as the most trustworthy of characters?
(Not that we have any reason to trust Mr. Russo either -- that's the point, it doesn't have to be black and white.)
Take a step back and look at the few things we DO know:
- The site employed poor security practices
- The site was hacked
- The hacker contacted the site owner
Anything beyond this is at this point hearsay.
Conducting unrequested and unauthorised penetration testing is a criminal offence, and that should always be the case. Otherwise you could have too many people who get caught hacking and then just hide behind the excuse that they were just doing some penetration testing and were going to notify the site owners if they found anything.
The reality is that a large number of sites out there have vulnerabilities as not every site can afford to have their site penetration tested on a regular basis. Coders can do t
Re: (Score:2)
The reality is that a large number of businesses out there do not have front doors, or keep their doors wide open, as not every business can afford to have their office facilities penetration tested on a regular basis. Maintenance staff can do their best but they are only human, and hence they occasionally make mistakes. It only takes a single mistake made on a Friday afternoon while the office was winding down and you can be vulnerable.
Not every business model can support the profit margins needed to purch
Re: (Score:2)
sounds like extortion, assuming the email is legit (Score:3)
Assuming the Plentyoffish guy isn't lying (a definite possibility): http://plentyoffish.wordpress.com/2011/01/31/plentyoffish-hacked/ [wordpress.com] states:
They then start talking about money because they need to incorporate a company that can deal with companies outside of Argentina and that will cost $15,000. They also needed to know if they were going to make over $100k/year or 500k/year as that would require different registrations
I just looked it up online and found no mention of needing different incorporation types for dealing with customers only in Argentina vs. external to Argentina, The highest fee I found online (although I'm sure there are companies willing to charge more) was USD $1760 to form a "Sociedad Anónima" vs. USD $1370 to form a "Sociedad de Responsabilidad Limitada" (sounds like a standard Limited Liability Corporation, but I'm not an Argentine business lawyer so I could be wrong), far short of the $15,000 they are asking for.
Re: (Score:2)
If I got an email that looked like:
I'd assume it was somebody trying to scam me.
Re: (Score:2)
Really?? You would, assume any notification of a security breach to be fraudulent until proven otherwise? What web site do you operate, so I can be sure never to sign up or give you any personal details.
Hyphens (Score:3, Funny)
Re:Hyphens (Score:5, Insightful)
Ask the good people at penisland, expertsexchange and powergenitalia that :)
Re: (Score:2)
Re: (Score:3)
Yes, expertsexchange.com wisely changed their name to experts-exchange. :)
I'm not sure whether pen-island and powergen-italia.it have done the same.
Re: (Score:2)
Why bother with hyphens? plenty.of.fish doesn't use any more characters and is arguably more readable. Yes, it means you have to worry about "fish" being taken, but fish.co is currently listed as available (it's a parked address) so plenty.of.fish.co would be a perfectly good registration. For now.
The main benefit of having it done like this is that whoever owns fish.co can resell names from that without conflicting with their own site. You can't really do the same with offish.com.
Re: (Score:2)
There is no current owner of fish.co, so plenty.of.fish could buy it.
Second, it's not cyber-squatting if you're selling a subdomain. I'd regard it as far more ethical and far more in line with the notion of a domain heirarchy to encourage even-handed reselling of subdomains.
Third, why would there be any track of hits? There may be a certain number of hostname lookups (not usually tracked by anyone), but nobody would go through anyone else. All the fish.co owner would be doing is renting a prefix, just the s
Plenty of Fish was never secure (Score:3)
Tried Plenty of Fish for a shortwhile - as a default, the service will mail 'new matches' to the email account you registered with every few days. These emails contain a a plain-text version of your password (which essentially reads as "Remember, your password is :XXXX123").
It's not entirely surprising that the site had its security compromised.
Re: (Score:2)
Indeed.
No secure site should even have the ability to read your plaintext password from the database, let alone email it to you on a regular basis. The only (potentially) secure password database is the one that's encrypted with a one-way hash.
Re: (Score:2)
As a side, when gawker got hacked, they had the one-way hash, and either no salt, or a known/guessable salt. Simple passwords have still been discovered, via a dictionary attack. So, you were right to put (potentially) in there.
Re: (Score:2)
Gawker's hash was salted with a random 2-digit string. The salt was known because it is included in the hash (standard behavior -- you need the salt in order to reproduce the hash when the user enters the password). The problem is a salt isn't really a protection against a brute force or dictionary attack on a single one-way hash. A salt is used to prevent you from using the results of your efforts on one hash on another hash. It's a defense against pre-computed rainbow tables (generating every possible has
The security reasearcher's story (Score:2)
here [krebsonsecurity.com].
I bet PoF used double Rot-13 encryption.
Re: (Score:2)
I bet PoF used double Rot-13 encryption.
Wow, that sounds like a very secure algorithm, where can I get it?
Markus' Email to Chris Russo (Score:5, Interesting)
If this data goes public I am going to email every single effected user on Plentyoffish your phone number, email address and picture. And tell them you hacked into their accounts.
Then i'm going to sue you In Canada, US and UK and argintina. I am going to completely destroy your life, no one is ever going to hire you for anything again, this isn't piratebay and we definately aren't fooling around.
Markus.
Re: (Score:2)
I'm sure Chris Russo's attorney would have quite a fun time talking about the libel were Markus to actually sue after doing such a thing.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Maybe because said hacker is from Argentina
Re: (Score:2)
Perhaps it's a country that's definately been effected.
Aren't all Dating sites more or less hacked? (Score:2)
Who in their right mind believes anything on plentyoffish.com, match.com, date.com, cupid.com, eharmony.com... All they are optimized to do is to increase the likelihood NOT to find the correct partner so as to get as much free money as possible. Not doing it this way would be an epic loss of opportunity from a business point of view.
Re: (Score:2)
First, OKCupid is free. Second, what you're saying is that car manufacturers should sell us cars that break down after a year so that we're forced to buy new working cars? That's not how it works.
Re: (Score:3)
Second, what you're saying is that car manufacturers should sell us cars that break down after a year so that we're forced to buy new working cars? That's not how it works.
Actually, I'm pretty sure that is how it works. Cars are not terribly reliable contraptions, and purposefully so.
Re: (Score:3)
Re: (Score:2)
You should look up "planned obsolescence". That's exactly how it works (albeit not on a yearly cycle).
Re: (Score:2)
Re: (Score:2)
OkCupid and PlentyOfFish are both free sites. The OKC blog (called OkTrends) has some pretty cool analysis of why paid dating sites are in fact a ripoff, but that's not relevant here.
Re: (Score:2)
Well, considering that:
1) Your chances of finding "the one" out of any given sample of human beings, even selecting for particularly "compatible" traits, is very low
2) Sites like OkCupid need their customers to find people who are, at the very least, passable by whatever their standards are in order to maintain that customer base
3) Nobody has written a matching algorithm so good that, "By golly, we're such good matchmakers, we're putting ourselves out of business!" And if they did, it wouldn't put them out
NEW HIGH SCORE! (Score:2)
This breaks the previous record for the most logins compromised at once by a factor of 3 (beating Trapster's 10 million)
They contacted me this afternoon... (Score:2)
Bad Title (Score:4, Insightful)
PlentyofFish.com Hacked, Blames Messenger (Score:2)
A much easier headline.
Despite the term hacker not defining whether good or bad, instead only indicating circumvention of computer security. It has been used so virally in the media, that it now tends to infer that a malicious hack was carried out. In short the headline "PlentyofFish Hacked Founder Emails Hackers Mom"seems to suggest that the founder of PlentyofFish had found the person who breached his servers and then emailed their mother. However that
gas station (Score:2)
Typical CEO (Score:5, Interesting)
Reading both accounts of the story (one from the CEO, the other from the security expert), it seems to be a case of "who do you believe". All we truly know is that the site was hacked, these guys were involved somehow, and now they're mad at each other. Everything else is just based on what one side or the other says.
That said, looking through the blog postings of the CEO, he strikes me as having the classic case of paranoid narcissist personality disorder. Every other posting is a rant about how his competitors are all out to get him. Everything they do is about HIM and a response to HIS business. When eHarmony does something, it's not just an innocent business expansion, it's a direct personal attack on this guy. I've worked with presidents and CEOs who use similar wording to this CEO in their daily speech, and whose nuances and mannerisms seem to match this guy's perfectly. Although my examples are only anecdotal, I'd be willing to bet this disorder is quite common among business leaders.
Not knowing more about the situation and only having their two accounts to go with, I would probably fall on the side of believing the security expert's account more, just looking at the level of paranoia and exaggeration in the CEO's blogging history.
Crybaby (Score:3)
Markus is a spoiled, rich crybaby. He's made so much money off that hideous site for so many years (and boasted about it for ages on his blog)... you would think he could afford proper security audits and support to close holes.
Basically he's been sitting on his ass technically for nearly the entire time, and now he's pissy because his lack of attention bit him.
And for the record, OkCupid.com is so immeasurably better than PoF in every way, it's time for the old whale to die.
Re: (Score:2)
...If you go there every other sentence has some huge grammatical error in it. The guy running it is completely illiterate.... Get for real.
Those who live in glass houses shouldn't throw stones, wouldn't you say? Your grammar is not exactly tip top yourself... What the hell does "Get for real" mean, I mean, in a proper english sense.
Re:Not surprised (Score:4, Insightful)
Who uses MSSQL?!?
The same groups that use Oracle and Sybase. People who care about database performance and support.
Re: (Score:2)