Dating disaster: eHarmony confirms passwords exposed by LinkedIn hacker

Updated happygeek 2 Tallied Votes 807 Views Share

One of the Internet's biggest online dating sites, eHarmony, has confirmed that security has been breached and member passwords compromised. eHarmony spokesperson Becky Teraoka says that "a small fraction of our user base has been affected" although I am led to understand that the 'small fraction' in question is actually around 1.5 million. The password hashes were published on a Russian hacking forum, with members asking for help in cracking them and converting the hashes into usable passwords.

dweb-eharmony Sound familiar? Well that's because this has the hand of the LinkedIn password hacker all over it. As DaniWeb reported yesterday, LinkedIn has also confirmed that security was breached and a file containing some 6.5 million password hashes has been published on a Russian hacking forum. That number has now been scaled down slightly to 5.8 million to allow for duplicates that were found, but it's still one heck of big breach with serious consequences for those users whose accounts may be compromised as a result.

Like LinkedIn, eHarmony has acted to mitigate the fallout and Teraoka confirms that "we have reset affected members passwords" and emails are going out to those members with instructions on how to reset them to something different again. Teraoka also insists that "eHarmony uses robust security measures, including password hashing and data encryption, to protect our members’ personal information. We also protect our networks with state-of-the-art firewalls, load balancers, SSL and other sophisticated security approaches." Which all sounds good, but the fact is that those password hashes have still been breached by hackers and if, as it would seem, they are unsalted then it's now open season on cracking them.

Gary Clark from SafeNet says that the eHarmony security breach "highlights once again the weaknesses in the hashed approach to password data protection revealed by the LinkedIn hack" and continues "a good outcome of this new rash of data breaches may be that consumers will demand real not ersatz encryption from their service providers. Hashed passwords simply don’t cut it and offer little real resistance to a determined hacker. Consumers really need to be reassured that their online service providers are taking data protection seriously and are applying end-to-end encryption to ensure users’ details and passwords are adequately protected against the latest security threats."

Ross Brewer, managing director at LogRhythm, points out that "this is the second significant data breach that eHarmony has suffered in less than two years. When taken alongside the latest LinkedIn hack and the spate of other high-profile incidents of late, it’s becoming painfully clear that falling victim to a security breach is now a case of when and not if."

LastMitch commented: Thanks for the article! +2
diafol commented: hilarious! +14
Member Avatar for LastMitch
LastMitch

@Davey Winder

I actually remove my info when I heard that, in the end I had to closed my account because there was a security risk that I'm bit surprise that no one at DaniWeb said anything. Meaning members.

gerbil 216 Industrious Poster

So eHarmony's security has been broken again. I have absolutely no jokes about that. None.
But hang on. Doesn't hacking mean those members might get to be contacted by people? That's why they are there in the first place? And if LinkedIn was hacked then once again, the aim of the site is fulfilled. LinkedIn is all about creating new contacts.

Member Avatar for diafol
diafol

Did I read that right?? They didn't salt the hash? Chortles into his spam... :)

happygeek 2,411 Most Valuable Poster Team Colleague Featured Poster

You read it right. They are doing so now though, after the hash horse has bolted through the unslated stable doors...

Maximlis -10 Light Poster

Nice article. It gives the detailed overview.

rubeccamatthews 0 Newbie Poster

hmmm .... so it become so very risky for public, one must remove his or her data from the back up. or in case if still not feel secure then account should have be deactivated.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.