One of the Internet's biggest online dating sites, eHarmony, has confirmed that security has been breached and member passwords compromised. eHarmony spokesperson Becky Teraoka says that "a small fraction of our user base has been affected" although I am led to understand that the 'small fraction' in question is actually around 1.5 million. The password hashes were published on a Russian hacking forum, with members asking for help in cracking them and converting the hashes into usable passwords.
Sound familiar? Well that's because this has the hand of the LinkedIn password hacker all over it. As DaniWeb reported yesterday, LinkedIn has also confirmed that security was breached and a file containing some 6.5 million password hashes has been published on a Russian hacking forum. That number has now been scaled down slightly to 5.8 million to allow for duplicates that were found, but it's still one heck of big breach with serious consequences for those users whose accounts may be compromised as a result.
Like LinkedIn, eHarmony has acted to mitigate the fallout and Teraoka confirms that "we have reset affected members passwords" and emails are going out to those members with instructions on how to reset them to something different again. Teraoka also insists that "eHarmony uses robust security measures, including password hashing and data encryption, to protect our members’ personal information. We also protect our networks with state-of-the-art firewalls, load balancers, SSL and other sophisticated security approaches." Which all sounds good, but the fact is that those password hashes have still been breached by hackers and if, as it would seem, they are unsalted then it's now open season on cracking them.
Gary Clark from SafeNet says that the eHarmony security breach "highlights once again the weaknesses in the hashed approach to password data protection revealed by the LinkedIn hack" and continues "a good outcome of this new rash of data breaches may be that consumers will demand real not ersatz encryption from their service providers. Hashed passwords simply don’t cut it and offer little real resistance to a determined hacker. Consumers really need to be reassured that their online service providers are taking data protection seriously and are applying end-to-end encryption to ensure users’ details and passwords are adequately protected against the latest security threats."
Ross Brewer, managing director at LogRhythm, points out that "this is the second significant data breach that eHarmony has suffered in less than two years. When taken alongside the latest LinkedIn hack and the spate of other high-profile incidents of late, it’s becoming painfully clear that falling victim to a security breach is now a case of when and not if."