Online dating website eHarmony has confirmed that passwords for some of its users have been exposed in a security breach that echoes the high profile incident involving LinkedIn yesterday.
In a blog post, eHarmony’s corporate communications chief Becky Teraoka said that the firm was resetting the passwords of affected users.
Unfortunately, eHarmony doesn’t offer much detail of the security incident – only saying that “a small fraction” of its userbase was impacted, and there is no information shared of how the data breach might have happened.
As with the LinkedIn breach, eHarmony users’ passwords were exposed in the form of hashes. In this case, the hashes of 1.5 million eHarmony passwords were uploaded to websites, where hackers were encouraged to join forces to crack them.
What really disappoints me is that eHarmony misses an opportunity to tell its users explicitly that if they use the same password on other websites they must change their passwords there also.
As we’ve said many times, you shouldn’t use the same password on multiple websites. Doing so is a recipe for disaster – because if you get hacked in one place, all of your other online accounts at other sites which use the same password could fall shortly afterwards.
Question: by what means would someone who's cracked a password at one site find other sites to try to use it upon? How would they know that user xyz and site A has any other accounts with other sites?
It seems there's one initial assumption, that the user reuses the same password AND user name on other sites.
Unless they have a user name to go with it, attempting to brute force a different site with a cracked password from a different site would seem fruitless.
It seems either the cracker would have to compromise my personal machine from which I do logins, or I'd have to be stupid enough to yak about my presence (including user name) on other sites, eg "hey, look me up on the foo forum, I'm 'xyz' over there…"
Am I missing some vector by which a cracker can associate user names/passwords on different platforms? Or am I underestimating the power available for random brute force user name guessing?
I think its more a 'just in case' than anything else.
Due to usernames being a lot more limiting than email addresses its becoming more and more popular that you use an email address as your username. So if the passwords are stolen along with the email address it wouldn't be too long before one of the combinations you have works on ebay, paypal, etc
Thats the way I see it anyway
I believe this isn't the first time that eHarmony have been hacked.
I had an eHarmony account which I set up with a "disposable" email address that is quite convoluted and you wouldn't come up with by chance, and which I *only* used on eHarmony.
I started to notice that some of my spam emails were to this email address in March 2011, which I can only explain by their database being hacked back then or earlier.
This is the danger in giving too much about yourself over internet dating sites. You could meet a total fraud because no one could really verify the information about them unless you confirm it in person.