Users of dating website eHarmony told their passwords have been stolen

Filed Under: Data loss, Featured, Privacy

Online dating website eHarmony has confirmed that passwords for some of its users have been exposed in a security breach that echoes the high profile incident involving LinkedIn yesterday.

eHarmony website

In a blog post, eHarmony's corporate communications chief Becky Teraoka said that the firm was resetting the passwords of affected users.

Unfortunately, eHarmony doesn't offer much detail of the security incident - only saying that "a small fraction" of its userbase was impacted, and there is no information shared of how the data breach might have happened.

As with the LinkedIn breach, eHarmony users' passwords were exposed in the form of hashes. In this case, the hashes of 1.5 million eHarmony passwords were uploaded to websites, where hackers were encouraged to join forces to crack them.

What really disappoints me is that eHarmony misses an opportunity to tell its users explicitly that if they use the same password on other websites they must change their passwords there also.

As we've said many times, you shouldn't use the same password on multiple websites. Doing so is a recipe for disaster - because if you get hacked in one place, all of your other online accounts at other sites which use the same password could fall shortly afterwards.

, , , ,

You might like

4 Responses to Users of dating website eHarmony told their passwords have been stolen

  1. Cliff Jones · 813 days ago

    Question: by what means would someone who's cracked a password at one site find other sites to try to use it upon? How would they know that user xyz and site A has any other accounts with other sites?

    It seems there's one initial assumption, that the user reuses the same password AND user name on other sites.

    Unless they have a user name to go with it, attempting to brute force a different site with a cracked password from a different site would seem fruitless.

    It seems either the cracker would have to compromise my personal machine from which I do logins, or I'd have to be stupid enough to yak about my presence (including user name) on other sites, eg "hey, look me up on the foo forum, I'm 'xyz' over there..."

    Am I missing some vector by which a cracker can associate user names/passwords on different platforms? Or am I underestimating the power available for random brute force user name guessing?

    • Dave · 812 days ago

      I think its more a 'just in case' than anything else.

      Due to usernames being a lot more limiting than email addresses its becoming more and more popular that you use an email address as your username. So if the passwords are stolen along with the email address it wouldn't be too long before one of the combinations you have works on ebay, paypal, etc

      Thats the way I see it anyway

  2. David · 812 days ago

    I believe this isn't the first time that eHarmony have been hacked.

    I had an eHarmony account which I set up with a "disposable" email address that is quite convoluted and you wouldn't come up with by chance, and which I *only* used on eHarmony.

    I started to notice that some of my spam emails were to this email address in March 2011, which I can only explain by their database being hacked back then or earlier.

  3. Mary Eby · 711 days ago

    This is the danger in giving too much about yourself over internet dating sites. You could meet a total fraud because no one could really verify the information about them unless you confirm it in person.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.