In what he calls âan incredibly well planned and sophisticated attackâ,Â Markus Frind writes that âPlentyoffish was hacked last week and we believe emails usernames and passwords were downloaded. We have reset all users passwords and closed the security hole that allowed them to enter.â
Frind says that an official announcement from the company will follow shortly so at present, the extent of the breach is unknown. However, the story behind the hack is interesting. Â Frind lays the blame on an Argentinian hacker. He claims that after breaking into Plenty of Fishâs database, the hacker contacted Frindâs wife claiming that âRussians have taken over his computer and are trying to kill him, and his life is in extreme danger and they are currently downloading plentyoffishâs databaseâ.
Frind alleges that the hacker claimed a widespread, Russian-led hack on major dating sites was underway and the gang responsible planned to steal $30 million dollars from them. Frind says that he believes that this was an extortion attempt by the hacker who later introduced himself as part of a security company that could help solve the problem.
In the comments to Frindâs post, the âhackerâ concerned denies the accusation, saying that he simply got in contact to offer a solution and wasnât responsible for any data breach himself.
Meanwhile, over on Hacker News, an in-depth discussion is taking place into the security (or otherwise) of Plenty of Fishâs method of storing passwords. It appears that the passwords have been stored in an unencrypted form, thus leading to their easy exposure to hackers.
So, extortion attempt or a legitimate security analyst trying to help? Weâre still unpicking the facts behind this, but one thingâs for sure â if youâre a Plenty of Fish user, itâs best to change your password right now.
UPDATE: The âhackerâ concerned, Chris Russo, has sent us a lengthy explanation of his side of the story.
Russo notes: âThe Last Friday 21 of Januray, we discovered a vulnerability in www.plentyoffish.com exposing users details, including usernames, addresses, phone numbers, real names, email addresses, passwords in plain text, and in most of cases, paypal accounts, of more than 28,000,000 (twenty eight million users). This vulnerability was under active explotation by hackers.â
Russo says that he contacted Frind in order to alert him to the problem. He says Frind was in the process of hiring him as a security consultant to conduct more work when his tone changed dramatically, accusing Russo of being the hacker.
Russo maintains that he was simply reporting an error. Whateverâs actually going on here, it appears that the hack was genuine.
Update 2: The following video has just been posted to Hacker News, purporting to show how Plenty of Fish was hacked. Supposedly recorded by Chris Russo (although we have no way of verifying this), the videoâs description on YouTube just adds to the mess of confusion around the situation by alleging that Russo did in fact hack the site, not a third party as Russo suggested earlier. Weâre still no closer to figuring this one outâ¦