2

One of the Internet's biggest online dating sites, eHarmony, has confirmed that security has been breached and member passwords compromised. eHarmony spokesperson Becky Teraoka says that "a small fraction of our user base has been affected" although I am led to understand that the 'small fraction' in question is actually around 1.5 million. The password hashes were published on a Russian hacking forum, with members asking for help in cracking them and converting the hashes into usable passwords.

dweb-eharmony Sound familiar? Well that's because this has the hand of the LinkedIn password hacker all over it. As DaniWeb reported yesterday, LinkedIn has also confirmed that security was breached and a file containing some 6.5 million password hashes has been published on a Russian hacking forum. That number has now been scaled down slightly to 5.8 million to allow for duplicates that were found, but it's still one heck of big breach with serious consequences for those users whose accounts may be compromised as a result.

Like LinkedIn, eHarmony has acted to mitigate the fallout and Teraoka confirms that "we have reset affected members passwords" and emails are going out to those members with instructions on how to reset them to something different again. Teraoka also insists that "eHarmony uses robust security measures, including password hashing and data encryption, to protect our members’ personal information. We also protect our networks with state-of-the-art firewalls, load balancers, SSL and other sophisticated security approaches." Which all sounds good, but the fact is that those password hashes have still been breached by hackers and if, as it would seem, they are unsalted then it's now open season on cracking them.

Gary Clark from SafeNet says that the eHarmony security breach "highlights once again the weaknesses in the hashed approach to password data protection revealed by the LinkedIn hack" and continues "a good outcome of this new rash of data breaches may be that consumers will demand real not ersatz encryption from their service providers. Hashed passwords simply don’t cut it and offer little real resistance to a determined hacker. Consumers really need to be reassured that their online service providers are taking data protection seriously and are applying end-to-end encryption to ensure users’ details and passwords are adequately protected against the latest security threats."

Ross Brewer, managing director at LogRhythm, points out that "this is the second significant data breach that eHarmony has suffered in less than two years. When taken alongside the latest LinkedIn hack and the spate of other high-profile incidents of late, it’s becoming painfully clear that falling victim to a security breach is now a case of when and not if."

Edited by happygeek: unstuck

Votes + Comments
hilarious!
Thanks for the article!

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

6
Contributors
6
Replies
9
Views
5 Years
Discussion Span
Last Post by rubeccamatthews
0

@Davey Winder

I actually remove my info when I heard that, in the end I had to closed my account because there was a security risk that I'm bit surprise that no one at DaniWeb said anything. Meaning members.

0

So eHarmony's security has been broken again. I have absolutely no jokes about that. None.
But hang on. Doesn't hacking mean those members might get to be contacted by people? That's why they are there in the first place? And if LinkedIn was hacked then once again, the aim of the site is fulfilled. LinkedIn is all about creating new contacts.

Edited by gerbil

0

You read it right. They are doing so now though, after the hash horse has bolted through the unslated stable doors...

0

hmmm .... so it become so very risky for public, one must remove his or her data from the back up. or in case if still not feel secure then account should have be deactivated.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.