Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Social Networks The Internet Technology

Users Complain of Account Hacks, But OkCupid Denies a Data Breach (techcrunch.com) 46

Zack Whittaker reports via TechCrunch: A reader contacted TechCrunch after his [OkCupid] account was hacked. The reader, who did not want to be named, said the hacker broke in and changed his password, locking him out of his account. Worse, they changed his email address on file, preventing him from resetting his password. OkCupid didn't send an email to confirm the address change -- it just blindly accepted the change. "Unfortunately, we're not able to provide any details about accounts not connected to your email address," said OkCupid's customer service in response to his complaint, which he forwarded to TechCrunch. Then, the hacker started harassing him strange text messages from his phone number that was lifted from one of his private messages. It wasn't an isolated case. We found several cases of people saying their OkCupid account had been hacked.

But several users couldn't explain how their passwords -- unique to OkCupid and not used on any other app or site -- were inexplicably obtained. "There has been no security breach at OkCupid," said Natalie Sawyer, a spokesperson for OkCupid. "All websites constantly experience account takeover attempts. There has been no increase in account takeovers on OkCupid." Even on OkCupid's own support pages, the company says that account takeovers often happen because someone has an account owner's login information. "If you use the same password on several different sites or services, then your accounts on all of them have the potential to be taken over if one site has a security breach," says the support page. In fact, when we checked, OkCupid was just one of many major dating sites -- like Match, PlentyOfFish, Zoosk, Badoo, JDate, and eHarmony -- that didn't use two-factor authentication at all.

This discussion has been archived. No new comments can be posted.

Users Complain of Account Hacks, But OkCupid Denies a Data Breach

Comments Filter:
  • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Sunday February 10, 2019 @10:41PM (#58101860) Homepage Journal

    "There has been no security breach at OkCupid," said Natalie Sawyer, a spokesperson for OkCupid. "All websites constantly experience account takeover attempts. There has been no increase in account takeovers on OkCupid."

    It's entirely possible that there has been no breach of passwords, and that they just screwed up session management. There's been many a security failure in a website that permitted an attacker to guess a session ID, and railroad someone's account that way. If you combine that with a feature (or bug) which permits changing the email address without confirmation, you could easily have this kind of security failure without exposing any login credentials.

    • Any online service of noteworthy size has a never-ending stream of people claiming their account was "hacked", which inevitably means they used the same credentials on another site, or they have malware on their devices, and subsequently someone logged into their account simply using their standard login credentials.

      Of course, it's entirely possible there was some hack and the company is in denial/coverup mode, but you'd think people know better than to do that at this point. I've learned not to underestim

    • by DarkOx ( 621550 )

      Even the right type of CSRF bug could enable something like this.

  • by Anonymous Coward

    All of those users complaining day after day on the message boards at a rate of several sigma above that of any other comparable services, they must have been using the passwords on other sites or had malware installed on their machines.

    They could settle this once and for all with madatory 2FA

  • by Todd Knarr ( 15451 ) on Sunday February 10, 2019 @11:13PM (#58101970) Homepage

    I can think of several ways this can happen. Malware in the browser is one, no need to steal a password if you can use the currently logged-in session to change the password to a known value. Social engineering of OkC's support, resetting the email address and password through that channel won't generate a change-of-address confirmation even if the normal process does. A compromise of OkC's systems that OkC hasn't noticed yet (or doesn't want to admit to because of the likely effect on their business). Given the lack of security typical of this kind of site and how much their business model discourages strong identification of users, I have to consider an account with them to be at-risk from the moment it's created.

  • by Aryeh Goretsky ( 129230 ) on Sunday February 10, 2019 @11:50PM (#58102054) Homepage

    Hello,

    Unsurprisingly, OKCupid is owned by IAC, the same company that owns (or owned, in this case) AskJeeves, Match.Com, Plenty of Fish, Tinder and a host of other web properties. They are a company that makes money by getting eyeball counts, and things which interfere with that, like security, are tossed by the wayside.

    Several years ago, someone signed up using my name and email address for match.com, and a password of "baculum" (go ahead, look it up). There was no attempt to first authenticate me, they just allowed the account to be created and start getting responses, and when I realized what was going on and tried to log in, they sent the password for the account in plaintext to me.

    Apparently using IAC properties is (or was) a popular way to harass people. I reached out to their security people, trying to find out more about how an account was created with my email address and no authentication, and asked for information like the IP address it was created from and the time, and got a form letter back saying to come back with a warrant or subpoena.

    That they continue to have account abuse issues does not surprise me at all.

    Regards,

    Aryeh Goretsky

    • by jaa101 ( 627731 )

      That they continue to have account abuse issues does not surprise me at all.

      But they don't have account abuse issues; only their customers do. Or, at least, fobbing off customers with boilerplate is cheaper than improving their security. It's not like they're a bank or anything; what's their worst case cost?

      • by Zocalo ( 252965 )
        4% of total global revenue? [eugdpr.org]

        It's a *dating* site, and they operate in the EU. If you have an account there that's not just for lulz, then they are almost certainly going to have more of your sensitive PII than pretty much anyone other than the likes Facebook and Google - a compromise as a result of negligence and subsequent coverup would be an ICO's wet dream. Most people with a clue have now woken up to the need to secure accounts that have financial links, but a similar awareness over PII is still so
  • A website where you actively and publicly (within the site itself) profile yourself. Fav movies, geo location, pics, interests, etc... Plus you have lots of horny people spending countless hours on the site focused only on their sexual impulses, going on dates with strangers while being as open as they can, impulse texting, impulse phone calls.

    Best security practices - the furthest thing from their minds.

    Tons of attack vectors. The victims... too horny to care until they've lost accessed. Now they're forced

  • by sad_ ( 7868 ) on Monday February 11, 2019 @07:40AM (#58103004) Homepage

    there are 2 different companies in the world;
    those that have been hacked
    and those that have been hacked, but don't know it yet.

  • Everyone should try https://haveibeenpwned.com/ [haveibeenpwned.com] (no affiliation). It's scary how your old password that you used on some random website a decade ago has been leaked. Hopefully most "big" sites have moved to individually salted passwords so future password leaks will be less common or severe...

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...