In what he calls “an incredibly well planned and sophisticated attack”, Markus Frind writes that “Plentyoffish was hacked last week and we believe emails usernames and passwords were downloaded. We have reset all users passwords and closed the security hole that allowed them to enter.”
Frind says that an official announcement from the company will follow shortly so at present, the extent of the breach is unknown. However, the story behind the hack is interesting. Frind lays the blame on an Argentinian hacker. He claims that after breaking into Plenty of Fish’s database, the hacker contacted Frind’s wife claiming that “Russians have taken over his computer and are trying to kill him, and his life is in extreme danger and they are currently downloading plentyoffish’s database”.
Frind alleges that the hacker claimed a widespread, Russian-led hack on major dating sites was underway and the gang responsible planned to steal $30 million dollars from them. Frind says that he believes that this was an extortion attempt by the hacker who later introduced himself as part of a security company that could help solve the problem.
In the comments to Frind’s post, the “hacker” concerned denies the accusation, saying that he simply got in contact to offer a solution and wasn’t responsible for any data breach himself.
Meanwhile, over on Hacker News, an in-depth discussion is taking place into the security (or otherwise) of Plenty of Fish’s method of storing passwords. It appears that the passwords have been stored in an unencrypted form, thus leading to their easy exposure to hackers.
So, extortion attempt or a legitimate security analyst trying to help? We’re still unpicking the facts behind this, but one thing’s for sure – if you’re a Plenty of Fish user, it’s best to change your password right now.
UPDATE: The “hacker” concerned, Chris Russo, has sent us a lengthy explanation of his side of the story.
Russo notes: “The Last Friday 21 of Januray, we discovered a vulnerability in www.plentyoffish.com exposing users details, including usernames, addresses, phone numbers, real names, email addresses, passwords in plain text, and in most of cases, paypal accounts, of more than 28,000,000 (twenty eight million users). This vulnerability was under active explotation by hackers.”
Russo says that he contacted Frind in order to alert him to the problem. He says Frind was in the process of hiring him as a security consultant to conduct more work when his tone changed dramatically, accusing Russo of being the hacker.
Russo maintains that he was simply reporting an error. Whatever’s actually going on here, it appears that the hack was genuine.
Update 2: The following video has just been posted to Hacker News, purporting to show how Plenty of Fish was hacked. Supposedly recorded by Chris Russo (although we have no way of verifying this), the video’s description on YouTube just adds to the mess of confusion around the situation by alleging that Russo did in fact hack the site, not a third party as Russo suggested earlier. We’re still no closer to figuring this one out…