Users Complain of Account Hacks, But OkCupid Denies a Data Breach

Zack Whittaker reports via TechCrunch: A reader contacted TechCrunch after his [OkCupid] account was hacked. The reader, who did not want to be named, said the hacker broke in and changed his password, locking him out of his account. Worse, they changed his email address on file, preventing him from resetting his password. OkCupid didn't send an email to confirm the address change -- it just blindly accepted the change. "Unfortunately, we're not able to provide any details about accounts not connected to your email address," said OkCupid's customer service in response to his complaint, which he forwarded to TechCrunch. Then, the hacker started harassing him strange text messages from his phone number that was lifted from one of his private messages. It wasn't an isolated case. We found several cases of people saying their OkCupid account had been hacked.

But several users couldn't explain how their passwords -- unique to OkCupid and not used on any other app or site -- were inexplicably obtained. "There has been no security breach at OkCupid," said Natalie Sawyer, a spokesperson for OkCupid. "All websites constantly experience account takeover attempts. There has been no increase in account takeovers on OkCupid." Even on OkCupid's own support pages, the company says that account takeovers often happen because someone has an account owner's login information. "If you use the same password on several different sites or services, then your accounts on all of them have the potential to be taken over if one site has a security breach," says the support page. In fact, when we checked, OkCupid was just one of many major dating sites -- like Match, PlentyOfFish, Zoosk, Badoo, JDate, and eHarmony -- that didn't use two-factor authentication at all.

Unsurprisingly, OKCupid is owned by IAC

[Aryeh+Goretsky]

Hello,

Unsurprisingly, OKCupid is owned by IAC, the same company that owns (or owned, in this case) AskJeeves, Match.Com, Plenty of Fish, Tinder and a host of other web properties. They are a company that makes money by getting eyeball counts, and things which interfere with that, like security, are tossed by the wayside.

Several years ago, someone signed up using my name and email address for match.com, and a password of "baculum" (go ahead, look it up). There was no attempt to first authenticate me, they just allowed the account to be created and start getting responses, and when I realized what was going on and tried to log in, they sent the password for the account in plaintext to me.

Apparently using IAC properties is (or was) a popular way to harass people. I reached out to their security people, trying to find out more about how an account was created with my email address and no authentication, and asked for information like the IP address it was created from and the time, and got a form letter back saying to come back with a warrant or subpoena.

That they continue to have account abuse issues does not surprise me at all.

Regards,

Aryeh Goretsky

there are 2 different companies in the world

[sad_]

there are 2 different companies in the world;
those that have been hacked
and those that have been hacked, but don't know it yet.