Users Complain of Account Hacks, But OkCupid Denies a Data Breach (techcrunch.com) 46
Zack Whittaker reports via TechCrunch: A reader contacted TechCrunch after his [OkCupid] account was hacked. The reader, who did not want to be named, said the hacker broke in and changed his password, locking him out of his account. Worse, they changed his email address on file, preventing him from resetting his password. OkCupid didn't send an email to confirm the address change -- it just blindly accepted the change. "Unfortunately, we're not able to provide any details about accounts not connected to your email address," said OkCupid's customer service in response to his complaint, which he forwarded to TechCrunch. Then, the hacker started harassing him strange text messages from his phone number that was lifted from one of his private messages. It wasn't an isolated case. We found several cases of people saying their OkCupid account had been hacked.
But several users couldn't explain how their passwords -- unique to OkCupid and not used on any other app or site -- were inexplicably obtained. "There has been no security breach at OkCupid," said Natalie Sawyer, a spokesperson for OkCupid. "All websites constantly experience account takeover attempts. There has been no increase in account takeovers on OkCupid." Even on OkCupid's own support pages, the company says that account takeovers often happen because someone has an account owner's login information. "If you use the same password on several different sites or services, then your accounts on all of them have the potential to be taken over if one site has a security breach," says the support page. In fact, when we checked, OkCupid was just one of many major dating sites -- like Match, PlentyOfFish, Zoosk, Badoo, JDate, and eHarmony -- that didn't use two-factor authentication at all.
But several users couldn't explain how their passwords -- unique to OkCupid and not used on any other app or site -- were inexplicably obtained. "There has been no security breach at OkCupid," said Natalie Sawyer, a spokesperson for OkCupid. "All websites constantly experience account takeover attempts. There has been no increase in account takeovers on OkCupid." Even on OkCupid's own support pages, the company says that account takeovers often happen because someone has an account owner's login information. "If you use the same password on several different sites or services, then your accounts on all of them have the potential to be taken over if one site has a security breach," says the support page. In fact, when we checked, OkCupid was just one of many major dating sites -- like Match, PlentyOfFish, Zoosk, Badoo, JDate, and eHarmony -- that didn't use two-factor authentication at all.
Could be true but irrelevant (Score:5, Interesting)
It's entirely possible that there has been no breach of passwords, and that they just screwed up session management. There's been many a security failure in a website that permitted an attacker to guess a session ID, and railroad someone's account that way. If you combine that with a feature (or bug) which permits changing the email address without confirmation, you could easily have this kind of security failure without exposing any login credentials.
Re: (Score:2)
Any online service of noteworthy size has a never-ending stream of people claiming their account was "hacked", which inevitably means they used the same credentials on another site, or they have malware on their devices, and subsequently someone logged into their account simply using their standard login credentials.
Of course, it's entirely possible there was some hack and the company is in denial/coverup mode, but you'd think people know better than to do that at this point. I've learned not to underestim
Re: Could be true but irrelevant (Score:2)
That falls over when you need to change your e-mail address because you signed up using your ISP e-mail address and you've changed to a different ISP, or your old web mail provider cut you off. A more workable way is to require either a confirmation code from the old e-mail address, or the password to be entered, or some other authentication factor (e.g. YubiKey or fingerprint) before allowing an e-mail address change. That protects against stealing a session cookie and still allows you to update your addre
Re: (Score:2)
Note that I used the words "either" and "or" in that sentence. In the case where a legitimate user has a valid session cookie but can't remember their password, they can use an e-mailed code to recover their account. If they don't have access to their e-mail account but can remember their password and/or have access to another authentication factor (YubiKey, fingerprint, etc.) they can use that to reset their e-mail address.
Re: (Score:2)
Even the right type of CSRF bug could enable something like this.
Re: perhaps not hacked.. (Score:1)
Re-read the article.
Re: (Score:1)
Yeah, and Blizzard wasn't breached either (Score:1)
All of those users complaining day after day on the message boards at a rate of several sigma above that of any other comparable services, they must have been using the passwords on other sites or had malware installed on their machines.
They could settle this once and for all with madatory 2FA
Several options for this (Score:3)
I can think of several ways this can happen. Malware in the browser is one, no need to steal a password if you can use the currently logged-in session to change the password to a known value. Social engineering of OkC's support, resetting the email address and password through that channel won't generate a change-of-address confirmation even if the normal process does. A compromise of OkC's systems that OkC hasn't noticed yet (or doesn't want to admit to because of the likely effect on their business). Given the lack of security typical of this kind of site and how much their business model discourages strong identification of users, I have to consider an account with them to be at-risk from the moment it's created.
Unsurprisingly, OKCupid is owned by IAC (Score:5, Informative)
Hello,
Unsurprisingly, OKCupid is owned by IAC, the same company that owns (or owned, in this case) AskJeeves, Match.Com, Plenty of Fish, Tinder and a host of other web properties. They are a company that makes money by getting eyeball counts, and things which interfere with that, like security, are tossed by the wayside.
Several years ago, someone signed up using my name and email address for match.com, and a password of "baculum" (go ahead, look it up). There was no attempt to first authenticate me, they just allowed the account to be created and start getting responses, and when I realized what was going on and tried to log in, they sent the password for the account in plaintext to me.
Apparently using IAC properties is (or was) a popular way to harass people. I reached out to their security people, trying to find out more about how an account was created with my email address and no authentication, and asked for information like the IP address it was created from and the time, and got a form letter back saying to come back with a warrant or subpoena.
That they continue to have account abuse issues does not surprise me at all.
Regards,
Aryeh Goretsky
Re: (Score:1)
That they continue to have account abuse issues does not surprise me at all.
But they don't have account abuse issues; only their customers do. Or, at least, fobbing off customers with boilerplate is cheaper than improving their security. It's not like they're a bank or anything; what's their worst case cost?
Re: (Score:3)
It's a *dating* site, and they operate in the EU. If you have an account there that's not just for lulz, then they are almost certainly going to have more of your sensitive PII than pretty much anyone other than the likes Facebook and Google - a compromise as a result of negligence and subsequent coverup would be an ICO's wet dream. Most people with a clue have now woken up to the need to secure accounts that have financial links, but a similar awareness over PII is still so
Profiling yourself (Score:1)
A website where you actively and publicly (within the site itself) profile yourself. Fav movies, geo location, pics, interests, etc... Plus you have lots of horny people spending countless hours on the site focused only on their sexual impulses, going on dates with strangers while being as open as they can, impulse texting, impulse phone calls.
Best security practices - the furthest thing from their minds.
Tons of attack vectors. The victims... too horny to care until they've lost accessed. Now they're forced
there are 2 different companies in the world (Score:4, Informative)
there are 2 different companies in the world;
those that have been hacked
and those that have been hacked, but don't know it yet.
The answer is usually recycled passwords... (Score:2)
Everyone should try https://haveibeenpwned.com/ [haveibeenpwned.com] (no affiliation). It's scary how your old password that you used on some random website a decade ago has been leaked. Hopefully most "big" sites have moved to individually salted passwords so future password leaks will be less common or severe...