Confusion, Recriminations Surround PlentyofFish Breach

Controversy has erupted around the free online dating site, PlentyofFish.com, after the Web site was found to contain a serious security vulnerability that could have potentially exposed the personal information of some 30 million users.

In another chapter of the annals of "No Good Deed Goes Unpunished," the security researcher who discovered the vulnerability and attempted to disclose it confidentially has found himself accused of conspiracy and criminal hacking by the dating site's founder, Markus Frind.

The story was first publicized by security report Brian Krebs on his Krebs on Security blog. According to the published report, he was contacted by Argentinian security researcher Chris Russo on January 19 regarding the Web vulnerability. According to Krebs, Russo had been a source regarding an earlier vulnerability in the Pirate Bay that exposed the personal information of 4 million users in July of last year.

This time Russo claimed that he and some friends found a SQL injection bug in PlentyofFish through which they could access account and password information of any of the site’s users. Russo then asked Krebs to create an account so he could prove this. Krebs did so, at which point he was again contacted by Russo, who regurgitated Krebs’s registration information back to him.

According to an interview Russo granted to the Web site Grumomedia.com, the vulnerabilities he discovered could allow any attacker to access and backup the database used by the webserver or gain access to the site. Russo also discovered that PlentyofFish stored user passwords in clear text, without the benefit of encryption. These and other holes were properly documented by his team without exposing any personal information, he told Grumomedia.com.

After learning of the hole, Krebs attempted to contact Frind, going so far as to contact the founder's wife, but never hearing from Frind himself. The reasons for that became clear after a post, purportedly penned by Frind on the PlentyofFish Blog, claiming to be a “personal post about what it feels like to be hacked/extorted.” In the post, Frind accused Russo of attempting to extort him and five other “very famous” dating sites and being in cahoots with Russian mobsters. 

In an e-mail to Threatpost.com, Frind said that he felt Krebs was being manipulated by Russo in an attempt to establish a "mass sense of confusion." Russo's attempts to compromise Plenty of Fish "generated hundreds of errors ...as a result we have detailed logs about what SQL statements he ran and what data he got back." 

In a follow-up statement Monday, Frind said that a hacker gained access to 345 accounts that were successfully exported" from the site. 

Russo claimed that Frind resolved the vulnerability and was initially cooperative, but became progressively more aggressive as time went on. 

Attacks aimed at Web sites that hold valuable information such as personally identifiable information or financial and banking data are on the increase, according to Jeremiah Grossman of the Web security firm WhiteHat. "The nature of the attack demonstrates how companies' websites are increasingly the entry point for corporate data theft," Grossman wrote in an e-mail statement.

Commenting on this Article is closed.