Hacker Targets eHarmony, Accesses User Screen Names, Passwords
According to Krebs, it appears that the breach was orchestrated by Chris Russo -- the Argentinian hacker who pulled off a similar heist on dating site Plentyoffish a few weeks ago. Russo, who prefers to call himself a "security researcher" rather than a hacker, reportedly discovered a vulnerability in eHarmony's network late last year. If exploited, the hole would allow him to obtain passwords and other information on thousands of the site's users.
Russo told Krebs about his discovery in December, but later said that he ended his research. Last week, however, Krebs heard that eHarmony had been hacked, and discovered that a cybercriminal was selling access to eHarmony's user database for $2,000 to $3,000 on an online clearinghouse called Carder.biz. Krebs immediately contacted Russo, but the Argentinian said he had nothing to do with it. He later conceded, though, that one of his associates who knew about his research could've been behind the breach.
eHarmony's chief technology officer, Joseph Essas, told Krebs that Russo discovered a SQL injection vulnerability, which gave him access to "screen names, email addresses, and hashed passwords" that clients used to access the company's advice site. According to Essas, the hack job only affected accounts on the advice site, and not the main eHarmony network. "Despite [Russo's] reports to you, we have found no evidence to suggest that Russo has successfully compromised at the network level our corporate email and eHarmony site environments," Essas confirmed.
Russo apparently offered his services to fix the vulnerability, but eHarmony, suspecting that the hacker may be exploiting the company, politely declined. "Russo's fraudulent efforts to obtain money from us are most disturbing," Essas said. "As such, we are exploring our legal rights and remedies as well." Thus far, the site has taken what Essas called "proactive precautionary measures," and has reportedly sent out an e-mail to users, asking them to change their passwords immediately.
Krebs has also discovered that the same user who was peddling eHarmony's information on Carder.biz is selling access to data from other companies, including "1,500,000 American usernames, passwords, emails and more" from diversitybusiness.com, and similar customer information from pixmania.com, and eidos.com. Eidos, an online computer game vendor, says it's looking into the matter, but neither Pixmania nor DiversityBusiness provided comment.