Dating Site PlentyofFish Hacked in Bizarre Scheme

Dating site was hit by hackers this weekend, but rather than a quick data grab, the alleged hacker carried out a scheme that involved tales of Russian mobsters, extortion plots, late-night phone calls, and a noted tech reporter, according to the site's CEO.

The hackers successfully exported 345 accounts from the PlentyofFish (POF) database, and then tried to convince the site to hire them as a security team. If POF refused, the hackers said they would release the data to the press, the company said.

"The breach was sealed in minutes and the Plentyoffish team had spent several days testing its systems to ensure no other vulnerabilities were found. Several security measures, including forced password reset, had been imposed," POF said in a statement. "Plentyoffish is bringing on several security companies to perform an external security audit, and will take all measures necessary to make sure our users are safe."

The back story, however, is a but more juicy - and weird. POF chief executive Marcus Frind on Monday published a lengthy blog post that he said was not an official statement from his company but instead a "a personal post about what it feels like to be hacked /extorted and the intense pressure and stress you are put under."

According to Frind, an Argentinian hacker named Chris Russo contacted him to say that Russian hackers had taken over his computer, were downloading the site's database, and had threatened to kill him. Russo was allegedly in a panic and told Frind that he had to fly to Argentina or Washington, DC to help stop the attacks.
Russo "says the Russians have complete access to everything including our bank accounts, and they want to steal about $30 million from a string of dating sites including ours," Frind wrote. "Not only that, he tells us 5 or 6 other dating sites in the industry have been breached, and he gives me what he claims is the administrative password for a dating company I won't name but it's very famous."
Later, Russo and a business partner identified as Luca tell Frind that "in exchange for complete access to all of our source code and SQL servers they can make sure we aren't attacked again," Frind wrote.

Frind said he responded by saying that he would "sue them out of existence if the data comes out." He then apparently e-mailed Russo's mother, but did not say if that helped the situation.
Frind also said he received a phone call from former Washington Post reporter Brian Krebs asking about the security breach. Given that Krebs and Russo were friends on Facebook, Frind said he initially suspected that Krebs might in on the hack, but later reconsidered.

"Just to be clear krebs didn't have anything to do with this. I was trying to convey how the hacker tried to create a mass sense of confusion at all times so you never know whats real and what is not," Frind wrote in an update to his blog post.
On his own blog, Krebs acknowledged that Frind had "mildly" backtracked on accusing him of participating in the hack. Krebs wrote that Russo contacted him earlier this month to say that he had found flaws in that allowed him to view account and password information about POF users.

"He said the information was being circulated in the hacker community, and that he could prove the flaws existed if I simply created a free user account on the site. I did so, and Russo proceeded to read me my registration information," Krebs said.
Krebs wrote that he tried to contact POF about the breach, but didn't hear anything for two days. POF then failed to issue a response for 10 days, until Frind posted his account on the blog.

Krebs speculated that "part of the reason has a problem is because its database is insecure. POF claims to have closed the security hole and reset all user passwords. But on top of that, the company appears to store its customer and user passwords in plain text, which is a Security 101 no-no," he wrote. "Companies that fail to take even this basic security step and then look for places to point the finger when they get hacked show serious disregard for the security and privacy of their use."

In a statement provided to Grumo Media, Russo said he simply informed POF about the security flaw, but that "while we were creating the legal documents in order to proceed, Markus Frind got progressively more aggressive and unresposive with us, and told us to speak with their employees, Kate and Jay, because there was a serial killer, murdering people from the website." Read Full Article


Post a Comment