Slashdot Mirror
PlentyofFish Hacked, Founder Emails Hacker's Mom
hellkyng writes "The online dating site PlentyofFish was hacked, and purportedly 30 million customer records were stolen. The site's founder, Markus Frind, is blaming the security researcher who discovered the vulnerability and the journalist who confirmed the issue."
The researcher who reported the vulnerability is Chris Russo, one of the guys who hacked The Pirate Bay last year. He explained his side of the story as well. Mr. Frind says he tracked down Russo's Facebook page and emailed his mom.
should not affect slashdot crowd since they do not date.
The "hacker" found a weakness in the websites security and exploited it. Then the website found a weakness in the hackers security and did the same in turn. You'd think the hacker in question would be a little more secure about their own personal information.
I was on the site for a while. It was always slightly clunky, but I'd prefer a free, one-man labor of love to a buy-in site that basically tries to promise sex for money. It was particularly helpful in helping me discover that I wasn't as bad as most of the creeps out there... and conversely, creepiness doesn't belong exclusively to those of the male persuasion. That was good to know -- it helped me realize that I need to be picky. (And my pickiness was rewarded many times over when I found my fiancee. In my Sunday School class).
But on the tech side, it irritated the living crap outta me that POF would send me a weekly e-mail with my password IN PLAIN TEXT. Every week, just as a reminder of how easy it would be to log in. Yeah, easy for *anyone* to log in as me and, if I were foolish enough to put important information on POF, to mess with my life. And, of course, if I were foolish enough to use that password for my bank account... well, I think anyone on this site knows the rest.
So I'm not at all surprised that someone found a way to hack POF. Sending a password in plaintext is bad, but not uncommon. Heck, T-Mobile does it. But sending it every week, unsolicited? I'm sorry to be rude, but that's just stupid.
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
So an immature but technically competent jerk cracked you computers and is now trying to get your companies lunch money, metaphorically. Your response is, among other things, to tell his mom.
O_o
You know, that sounds about right.
Assuming the Plentyoffish guy isn't lying (a definite possibility): http://plentyoffish.wordpress.com/2011/01/31/plentyoffish-hacked/ states:
They then start talking about money because they need to incorporate a company that can deal with companies outside of Argentina and that will cost $15,000. They also needed to know if they were going to make over $100k/year or 500k/year as that would require different registrations
I just looked it up online and found no mention of needing different incorporation types for dealing with customers only in Argentina vs. external to Argentina, The highest fee I found online (although I'm sure there are companies willing to charge more) was USD $1760 to form a "Sociedad Anónima" vs. USD $1370 to form a "Sociedad de Responsabilidad Limitada" (sounds like a standard Limited Liability Corporation, but I'm not an Argentine business lawyer so I could be wrong), far short of the $15,000 they are asking for.
I realise that this is somewhat off-topic, but it can't be a good idea to have a dating site with a domain name that reads as "plenty offish". When will people learn to use hyphens in domain names?
Tried Plenty of Fish for a shortwhile - as a default, the service will mail 'new matches' to the email account you registered with every few days. These emails contain a a plain-text version of your password (which essentially reads as "Remember, your password is :XXXX123").
It's not entirely surprising that the site had its security compromised.
If this data goes public I am going to email every single effected user on Plentyoffish your phone number, email address and picture. And tell them you hacked into their accounts.
Then i'm going to sue you In Canada, US and UK and argintina. I am going to completely destroy your life, no one is ever going to hire you for anything again, this isn't piratebay and we definately aren't fooling around.
Markus.
Back when Cheswick and Bellovin were doing the original Bell Labs firewalls, and caught a Dutch teenager trying to hack into their site, the Netherlands didn't have any computer security laws that made it illegal. "So we called his mom...."
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
...If you go there every other sentence has some huge grammatical error in it. The guy running it is completely illiterate.... Get for real.
Those who live in glass houses shouldn't throw stones, wouldn't you say? Your grammar is not exactly tip top yourself... What the hell does "Get for real" mean, I mean, in a proper english sense.
Second, what you're saying is that car manufacturers should sell us cars that break down after a year so that we're forced to buy new working cars? That's not how it works.
Actually, I'm pretty sure that is how it works. Cars are not terribly reliable contraptions, and purposefully so.
"He who can destroy a thing, controls a thing." --Paul Atreides, Dune
We only have the site owner's word for the claim that the hacker claimed it was actively exploited.
Does this web site operator really strike you as the most trustworthy of characters?
(Not that we have any reason to trust Mr. Russo either -- that's the point, it doesn't have to be black and white.)
Take a step back and look at the few things we DO know:
- The site employed poor security practices
- The site was hacked
- The hacker contacted the site owner
Anything beyond this is at this point hearsay.
Conducting unrequested and unauthorised penetration testing is a criminal offence, and that should always be the case. Otherwise you could have too many people who get caught hacking and then just hide behind the excuse that they were just doing some penetration testing and were going to notify the site owners if they found anything.
The reality is that a large number of sites out there have vulnerabilities as not every site can afford to have their site penetration tested on a regular basis. Coders can do their best but they are only human, and hence they occasionally make mistakes. It only takes a single mistake made on a Friday afternoon while the office was winding down and you can be vulnerable.
Not every business model can support the profit margins needed to support expert code reviews and penetration testing of every new release, especially while the entire economy shrinks and both companies and the public have less money to spend. Since creating an absolutely secure site is both very expensive and often not entirely understood by management it is a very easy corner to cut.
Hacking a site you have nothing to do with and then contacting the owner to offer your security services in return for payment is a little too close to extortion for my liking.
I dont read
Who uses MSSQL?!?
The same groups that use Oracle and Sybase. People who care about database performance and support.
He didn't email the hacker's mother, he emailed the security researcher's mother. Some unknown party hacked his website, and he blames the security researcher that was going out of his way to assist them in closing the vulnerability. After reading the researchers take on this, POF CEO could possibly be facing criminal charges for uttering death threats, harassment and perhaps a civil libel suit.
AccountKiller
*Headline taken from : http://www.krebsonsecurity.com/
A much easier headline.
Despite the term hacker not defining whether good or bad, instead only indicating circumvention of computer security. It has been used so virally in the media, that it now tends to infer that a malicious hack was carried out. In short the headline "PlentyofFish Hacked Founder Emails Hackers Mom"seems to suggest that the founder of PlentyofFish had found the person who breached his servers and then emailed their mother. However that is not the case.
https://secure.wikimedia.org/wikipedia/en/wiki/Hacker
-1 is for flame bait and trolls, not because you disagree with someone.
Is that why we're commenting on a story about how that thing got hacked in like 4 seconds by some argentinian guy and his mom?
As a general rule, cars have been getting more and more reliable every year. They don't make them like they used to, and that's a good thing. Are there still preventable defects in cars? Sure, but they're getting fewer and farther between.
Reading both accounts of the story (one from the CEO, the other from the security expert), it seems to be a case of "who do you believe". All we truly know is that the site was hacked, these guys were involved somehow, and now they're mad at each other. Everything else is just based on what one side or the other says.
That said, looking through the blog postings of the CEO, he strikes me as having the classic case of paranoid narcissist personality disorder. Every other posting is a rant about how his competitors are all out to get him. Everything they do is about HIM and a response to HIS business. When eHarmony does something, it's not just an innocent business expansion, it's a direct personal attack on this guy. I've worked with presidents and CEOs who use similar wording to this CEO in their daily speech, and whose nuances and mannerisms seem to match this guy's perfectly. Although my examples are only anecdotal, I'd be willing to bet this disorder is quite common among business leaders.
Not knowing more about the situation and only having their two accounts to go with, I would probably fall on the side of believing the security expert's account more, just looking at the level of paranoia and exaggeration in the CEO's blogging history.
Markus is a spoiled, rich crybaby. He's made so much money off that hideous site for so many years (and boasted about it for ages on his blog)... you would think he could afford proper security audits and support to close holes.
Basically he's been sitting on his ass technically for nearly the entire time, and now he's pissy because his lack of attention bit him.
And for the record, OkCupid.com is so immeasurably better than PoF in every way, it's time for the old whale to die.
.sigs are for post^Hers.
Seriously?
You call dating based on physical attractiveness shallow... Fair enough. I would counter with the question: Why should I date people who aren't attractive to me? Why is physical attractiveness any less important than emotional attractiveness? I'd agree that it's shallow to date on looks alone... But speaking as someone who has tried having romantic relationships relationships with people he isn't physically attracted to, I can say that it doesn't work any better than a relationship with someone I'm physically attracted to but emotionally uninterested in.
You make a great point though that you can't expect to date outside your league. Want a hot chick who's totally intellectual and into nerdy guys? Be an intellectual nerd who has a bit of a sense of style and works out.