Slashdot Mirror

← Back to Stories (view on slashdot.org)

Users Complain of Account Hacks, But OkCupid Denies a Data Breach (techcrunch.com)

Posted by BeauHD on from the security-concerns dept.

Zack Whittaker reports via TechCrunch: A reader contacted TechCrunch after his [OkCupid] account was hacked. The reader, who did not want to be named, said the hacker broke in and changed his password, locking him out of his account. Worse, they changed his email address on file, preventing him from resetting his password. OkCupid didn't send an email to confirm the address change -- it just blindly accepted the change. "Unfortunately, we're not able to provide any details about accounts not connected to your email address," said OkCupid's customer service in response to his complaint, which he forwarded to TechCrunch. Then, the hacker started harassing him strange text messages from his phone number that was lifted from one of his private messages. It wasn't an isolated case. We found several cases of people saying their OkCupid account had been hacked.

But several users couldn't explain how their passwords -- unique to OkCupid and not used on any other app or site -- were inexplicably obtained. "There has been no security breach at OkCupid," said Natalie Sawyer, a spokesperson for OkCupid. "All websites constantly experience account takeover attempts. There has been no increase in account takeovers on OkCupid." Even on OkCupid's own support pages, the company says that account takeovers often happen because someone has an account owner's login information. "If you use the same password on several different sites or services, then your accounts on all of them have the potential to be taken over if one site has a security breach," says the support page. In fact, when we checked, OkCupid was just one of many major dating sites -- like Match, PlentyOfFish, Zoosk, Badoo, JDate, and eHarmony -- that didn't use two-factor authentication at all.

46 comments

  1. Victim of other hacks, perhaps by Anonymous Coward · · Score: 0

    People do have a tendency to reuse their passwords.

    1. Re:Victim of other hacks, perhaps by Anonymous Coward · · Score: 0

      when we checked, OkCupid was just one of many major dating sites -- like Match, PlentyOfFish, Zoosk, Badoo, JDate, and eHarmony -- that didn't use two-factor authentication at all.

      There are many dating websites, what many people don't know is that nearly all of them are owned by two or three companies, so it's not surprising that they all have shitty security.

  2. Could be true but irrelevant by drinkypoo · · Score: 4, Interesting

    "There has been no security breach at OkCupid," said Natalie Sawyer, a spokesperson for OkCupid. "All websites constantly experience account takeover attempts. There has been no increase in account takeovers on OkCupid."

    It's entirely possible that there has been no breach of passwords, and that they just screwed up session management. There's been many a security failure in a website that permitted an attacker to guess a session ID, and railroad someone's account that way. If you combine that with a feature (or bug) which permits changing the email address without confirmation, you could easily have this kind of security failure without exposing any login credentials.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:Could be true but irrelevant by Anonymous Coward · · Score: 0

      It's entirely possible that Trump just really, really likes the taste of Putin's cock and isn't a traitor at all. Two totally separate, unrelated Magnitsky's.

    2. Re:Could be true but irrelevant by Anonymous Coward · · Score: 0

      Trump and Putin met on OkCupid. I suspect they correspond privately there also, which could be one reason it is targeted by hackers.

    3. Re:Could be true but irrelevant by Dutch+Gun · · Score: 1

      Any online service of noteworthy size has a never-ending stream of people claiming their account was "hacked", which inevitably means they used the same credentials on another site, or they have malware on their devices, and subsequently someone logged into their account simply using their standard login credentials.

      Of course, it's entirely possible there was some hack and the company is in denial/coverup mode, but you'd think people know better than to do that at this point. I've learned not to underestimate people's idiocy over many years of hard-won experience.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    4. Re:Could be true but irrelevant by Anonymous Coward · · Score: 0

      These are not the droids you're looking for...

    5. Re: Could be true but irrelevant by Anonymous Coward · · Score: 0

      While it's more likely to be end-user fault, there's still a shortcoming in not sending a confirmation email to the old address when moving an account like this to a new email.

    6. Re: Could be true but irrelevant by _merlin · · Score: 1

      That falls over when you need to change your e-mail address because you signed up using your ISP e-mail address and you've changed to a different ISP, or your old web mail provider cut you off. A more workable way is to require either a confirmation code from the old e-mail address, or the password to be entered, or some other authentication factor (e.g. YubiKey or fingerprint) before allowing an e-mail address change. That protects against stealing a session cookie and still allows you to update your address if you lose access to the old one.

    7. Re:Could be true but irrelevant by DarkOx · · Score: 1

      Even the right type of CSRF bug could enable something like this.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    8. Re: Could be true but irrelevant by Anonymous Coward · · Score: 0

      That falls over when you need to change your e-mail address because you signed up using your ISP e-mail address and you've changed to a different ISP, or your old web mail provider cut you off.

      You are contradicting yourself in some of your answer...

      a confirmation code from the old e-mail address

      How could you access the "cut off" email service from your old ISP?

      the password to be entered

      If there is really a breach, the attacker would have already known the password to get into the account and change the corresponding email.

    9. Re: Could be true but irrelevant by _merlin · · Score: 1

      How could you access the "cut off" email service from your old ISP?

      Note that I used the words "either" and "or" in that sentence. In the case where a legitimate user has a valid session cookie but can't remember their password, they can use an e-mailed code to recover their account. If they don't have access to their e-mail account but can remember their password and/or have access to another authentication factor (YubiKey, fingerprint, etc.) they can use that to reset their e-mail address.

      If there is really a breach, the attacker would have already known the password to get into the account and change the corresponding email.

      The GP (or GGP or whatever) was talking about the possibility that passwords haven't been compromised, but rather session management is broken or has been compromised. In this case, the attacker doesn't know the password - they either steal or forge a valid session cookie and use that to access the account. If the service allows the e-mail address to be changed with nothing more than a valid session cookie, this kind of attack is very easy. That's why some sites require you to enter a password to change your e-mail address or other potentially sensitive tasks when you're already logged in. It's to protect against attacks on session management.

      (I realise e-mailing codes is pretty weak, as e-mail is only encrypted in transit and gets decrypted at each MTA on the way, and it's vulnerable to DNS hijacking, etc. But that and equally insecure SMS seem to be the most practical ways to allow account recovery when people inevitably forget their passwords.)

  3. perhaps not hacked.. by Anonymous Coward · · Score: 0

    ..in the traditional data breach or russian/chinese hacker sorta way, but rather by psycho exes, made possible because the 'victims' were fucking stupid and used the same damn password for everything.

    1. Re: perhaps not hacked.. by Anonymous Coward · · Score: 1

      Re-read the article.

    2. Re: perhaps not hacked.. by Anonymous Coward · · Score: 1

      everyone that gets "hacked" always claims they don't reuse their passwords. regularly dealing with this in security I can assure you that most of them are liars to embarrassed to admit they reuse passwords

  4. Re:Victim of other rapist aliens, perhaps by Anonymous Coward · · Score: 0

    I've been very happy with the job he's doing, despite his critics.

    Posting AC for obvious reasons.

  5. Yeah, and Blizzard wasn't breached either by Anonymous Coward · · Score: 1

    All of those users complaining day after day on the message boards at a rate of several sigma above that of any other comparable services, they must have been using the passwords on other sites or had malware installed on their machines.

    They could settle this once and for all with madatory 2FA

    1. Re:Yeah, and Blizzard wasn't breached either by Anonymous Coward · · Score: 0

      The users would bitch even more with mandatory MFA. I regularly deal with users that claim "no could have my password and NO I DON'T reuse", a quick check of have I been pwned or some of the published lists and more often then not their "UNIQUE" password is there with their email.

    2. Re:Yeah, and Blizzard wasn't breached either by Anonymous Coward · · Score: 0

      How do you know their password? Is *your* site that non-secure?

    3. Re:Yeah, and Blizzard wasn't breached either by Anonymous Coward · · Score: 0

      Perhaps he has them browse to the site and enter their "un-reused" password.

  6. Several options for this by Todd+Knarr · · Score: 2

    I can think of several ways this can happen. Malware in the browser is one, no need to steal a password if you can use the currently logged-in session to change the password to a known value. Social engineering of OkC's support, resetting the email address and password through that channel won't generate a change-of-address confirmation even if the normal process does. A compromise of OkC's systems that OkC hasn't noticed yet (or doesn't want to admit to because of the likely effect on their business). Given the lack of security typical of this kind of site and how much their business model discourages strong identification of users, I have to consider an account with them to be at-risk from the moment it's created.

  7. Re:Donald McDonald is "Individual 1" lol...apk by Anonymous Coward · · Score: 0

    Go back to writing your hosts engine spyware, apk. Nobody cares about you or your gayness.

  8. Unsurprisingly, OKCupid is owned by IAC by Aryeh+Goretsky · · Score: 4, Informative

    Hello,

    Unsurprisingly, OKCupid is owned by IAC, the same company that owns (or owned, in this case) AskJeeves, Match.Com, Plenty of Fish, Tinder and a host of other web properties. They are a company that makes money by getting eyeball counts, and things which interfere with that, like security, are tossed by the wayside.

    Several years ago, someone signed up using my name and email address for match.com, and a password of "baculum" (go ahead, look it up). There was no attempt to first authenticate me, they just allowed the account to be created and start getting responses, and when I realized what was going on and tried to log in, they sent the password for the account in plaintext to me.

    Apparently using IAC properties is (or was) a popular way to harass people. I reached out to their security people, trying to find out more about how an account was created with my email address and no authentication, and asked for information like the IP address it was created from and the time, and got a form letter back saying to come back with a warrant or subpoena.

    That they continue to have account abuse issues does not surprise me at all.

    Regards,

    Aryeh Goretsky

    --
    Dexter is a good dog.
    1. Re:Unsurprisingly, OKCupid is owned by IAC by jaa101 · · Score: 0

      That they continue to have account abuse issues does not surprise me at all.

      But they don't have account abuse issues; only their customers do. Or, at least, fobbing off customers with boilerplate is cheaper than improving their security. It's not like they're a bank or anything; what's their worst case cost?

    2. Re:Unsurprisingly, OKCupid is owned by IAC by Zocalo · · Score: 2

      4% of total global revenue?

      It's a *dating* site, and they operate in the EU. If you have an account there that's not just for lulz, then they are almost certainly going to have more of your sensitive PII than pretty much anyone other than the likes Facebook and Google - a compromise as a result of negligence and subsequent coverup would be an ICO's wet dream. Most people with a clue have now woken up to the need to secure accounts that have financial links, but a similar awareness over PII is still some way behind, or you'd see a lot more use of 2FA on sites like this.

      --
      UNIX? They're not even circumcised! Savages!
    3. Re:Unsurprisingly, OKCupid is owned by IAC by Anonymous Coward · · Score: 0

      Initial coin offering?

    4. Re:Unsurprisingly, OKCupid is owned by IAC by Anonymous Coward · · Score: 0

      That happened to me, too, but I don't remember if it was match.com or one of the other dating sites. No double opt-in, nothing.

      Was your name also in your e-mail address? That just makes your e-mail address more valuable to those kinds of people.

    5. Re:Unsurprisingly, OKCupid is owned by IAC by Anonymous Coward · · Score: 0

      IAC OKC POF MATCH TINDER.... ALL ONE COMPANY.
      And they ALL SUCK ASS.

      The world DESPERATELY needs more free and open dating sites, even donation models.
      With NO corporate fake fill accounts to make the sites look busy.
      With ALL dead accounts not logged into in over six months DELETED.
      With functional REVERSE MATCH engines... show me people seeking blue hair, or seeking within 36-48 year olds..
      And functional default or no response FORWARD MATCH engines... if i search smokers, let me subselect ONLY smokers, or no answerers (which should not be programmed to be valid answer anyways, force them to answer).
      And with forced answers to honest question parameters... like not body type "average" "little extra" "slim" self bullshit, but required dropdowns in kilos or pounds, leave the feelgood fluff for profile text.
      Like breaking out full pet combination matrix, detailed kids and partner dropdowns, dropdowns for alcohol frequency, number of pets, kids, etc.

      And with *** NO *** site forced requirement to upload or ever share FACE PICTURES... PRIVACY and ANTI DATAMINING are important and paramount.

      There are NO such sites.

      Totally RIPE for YOU to go start one up and crush this IAC bullshit and become a dating site rockstar in the process.

    6. Re:Unsurprisingly, OKCupid is owned by IAC by Anonymous Coward · · Score: 0

      Don't forget to add a required box for if the mom or dad is still involved and how... kid shuffling, a check once a month, or not at all.
      Many people hate having to deal with the weekly drama and extensive cost and time of transportation, and the "my other parent" issue for the kids.
      And many people like the whole loose knit chaos thing.
      But it universally sucks to find that out after N dates when a site that forces responses to such basic life questions could have found them better matches from the get go.

  9. Profiling yourself by found404 · · Score: 1

    A website where you actively and publicly (within the site itself) profile yourself. Fav movies, geo location, pics, interests, etc... Plus you have lots of horny people spending countless hours on the site focused only on their sexual impulses, going on dates with strangers while being as open as they can, impulse texting, impulse phone calls.

    Best security practices - the furthest thing from their minds.

    Tons of attack vectors. The victims... too horny to care until they've lost accessed. Now they're forced to self-pleasure using their imagination or bing pr0n for a few days. Claw-like hands, blue balls... the signs of a hacked dating site.

  10. Inside job? by Anonymous Coward · · Score: 0

    I don't use their app but I had some suspicious behavior on Facebook where someone was in my "Following" section... follow/unfollow wouldn't work to get rid of them, I had to follow, go to their page after following, then unfollow FROM WITHIN THEIR PROFILE PAGE, to have it no longer showing in Following.

    Come to think of it: wasn't it OkCupid who tamperered with things so that mismatches were "matches" as a social experiment to see if they would communicate?

  11. Who cares? by Anonymous Coward · · Score: 0

    Just go open another account. Case closed.

  12. there are 2 different companies in the world by sad_ · · Score: 3, Informative

    there are 2 different companies in the world;
    those that have been hacked
    and those that have been hacked, but don't know it yet.

    --
    On a long enough timeline, the survival rate for everyone drops to zero.
  13. Grow up moron: That post wasn't I... apk by Anonymous Coward · · Score: 0

    Grow up moron: That post you replied to wasn't I. Quit trying to "frame me" via your UNIDENTIFIABLE anonymous posts you always STALK me by.

    * My program is NOT 'spyware' - IF anything? It STOPS spyware (& just about every kind of THREAT there is online & it does it BETTER than any other SINGLE solution loaded w/ security issues (DNS/Antivirus) OR crippled by default (UBlock/Adblock) addon can doing MORE for LESS, natively, & more efficiently + faster in kernelmode (vs. SLOWER usermode).

    APK

    P.S.=> Unbelievable - you have serious issues... apk

  14. Re: Nazi traitor Drumpftards will hang, cowards al by Anonymous Coward · · Score: 0

    The preceding addled screed was brought to you by METH.

    Meth - it rots your brain!

  15. Delayed fallout from Cloudbleed? by Anonymous Coward · · Score: 0

    If OKCupid's claims that there hasn't been a (recent) breach are correct, this could be delayed fallout from Cloudbleed in 2017.

    https://www.cnet.com/news/cloudbleed-uber-fitbit-okcupid-cybersecurity-password-information-exposed-wide-reaching-flaw/

  16. The answer is usually recycled passwords... by WoTG · · Score: 1

    Everyone should try https://haveibeenpwned.com/ (no affiliation). It's scary how your old password that you used on some random website a decade ago has been leaked. Hopefully most "big" sites have moved to individually salted passwords so future password leaks will be less common or severe...

  17. OkCupid does not support safety in my experience by Anonymous Coward · · Score: 0

    OkCupid has refused to support me on potential stalkers. If they wont step in for physical safety I doubt hacking issues are any different.