Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

PlentyofFish Hacked, Founder Emails Hacker's Mom

Soulskill posted more than 3 years ago | from the that'd-probably-stop-a-lot-of-hackers-actually dept.

Security 367

hellkyng writes "The online dating site PlentyofFish was hacked, and purportedly 30 million customer records were stolen. The site's founder, Markus Frind, is blaming the security researcher who discovered the vulnerability and the journalist who confirmed the issue." The researcher who reported the vulnerability is Chris Russo, one of the guys who hacked The Pirate Bay last year. He explained his side of the story as well. Mr. Frind says he tracked down Russo's Facebook page and emailed his mom.

cancel ×

367 comments

should not affect slashdot crowd (5, Insightful)

Anonymous Coward | more than 3 years ago | (#35059222)

should not affect slashdot crowd since they do not date.

Re:should not affect slashdot crowd (5, Funny)

Lord Ender (156273) | more than 3 years ago | (#35059514)

On the contrary, I recently experimented with online dating myself. In my experience, the site should actually be called "plenty of whales" though...

Re:should not affect slashdot crowd (1, Informative)

DNS-and-BIND (461968) | more than 3 years ago | (#35059548)

LOL parent +5 Informative

Re:should not affect slashdot crowd (2)

cayenne8 (626475) | more than 3 years ago | (#35059584)

"On the contrary, I recently experimented with online dating myself. In my experience, the site should actually be called "plenty of whales" though..."

Yeah..I was looking on there the other day, and WOW...there are a lot of BIG women on there.

Hard to find anything worth hitting on on POF.

Frankly, I don't buy enough flour really to 'use' on those women I've seen on that site, and I tend to shop in bulk at Sam's clubs......

Re:should not affect slashdot crowd (3, Interesting)

Nadaka (224565) | more than 3 years ago | (#35059616)

You must have seen my little sisters profile, she will kill me if she know I was joking about her.

She keeps telling me about how I can meet a nice girl there after breaking up with my whore ex.

Right after she tells me about all the dirty old men, halfwits and creeps she has to filter through.

Re:should not affect slashdot crowd (4, Insightful)

Anonymous Coward | more than 3 years ago | (#35059848)

My wife and I met via online personals. She was telling me that about 95% of the emails she got were from men with user ID's along the lines of "Bigpenis69" and "Bigstud72" and the like. That's the reason why she even talked to me, because I didn't have a name that was in any way reflecting my supposed virility. I have no trouble believing that most of your sister's replies come from old, creepy dudes.

Also, regarding the "plenty of whales" comment above... it amuses me to no end that many lonely geeks and nerds will judge less attractive women to be not worth asking out, only to turn around and moan and whine when attractive women use the same methods to exclude them from consideration.
Q: "Why don't pretty women like me?"
A: Because they're just as shallow as you are and judge as much by appearance as you do.

Re:should not affect slashdot crowd (2)

DNS-and-BIND (461968) | more than 3 years ago | (#35060060)

Being pretty or not has little to do with how much weight you choose to carry. I have seen so many lovely women - from the neck up. From the neck down it's a disaster area. If she only weighed 130 instead of 250, she's be perfect.

Re:should not affect slashdot crowd (0)

Anonymous Coward | more than 3 years ago | (#35060100)

A woman who is simply plain has no control over her appearance and I would happily go out with one of them if we got along. A woman who is fat has total control over her weight and anyone who says otherwise is full of crap. The problem with the fat woman is not only is she unattractive, but she's unhealthy, probably has poor hygiene and can make you fat as well [nytimes.com] .

Aside from that, the problem with most guys here is probably not how they look, but how they act. Most women, beautiful or not, don't care what a guy looks like. Shallow ones might like money, but the non-shallow ones (yes, there are single beautiful, non-shallow and intelligent women out there) will like a guy with a good personality and sense of humour. Although I think I'm a fairly attractive guy, I've met most of my past girlfriends primarily because I'm a very outgoing person by nature.

Re:should not affect slashdot crowd (0)

Anonymous Coward | more than 3 years ago | (#35060172)

I've finally figured it out.

The single most damaging thing a man can do for his chances is to let a women figure out that he trusts her. Bam, game over. Instant friend-zone. Permanently.

Re:should not affect slashdot crowd (0)

Anonymous Coward | more than 3 years ago | (#35059962)

Right after she tells me about all the dirty old men, halfwits and creeps she has to filter through.

LMAO -- Apparently /. users do troll PoF afterall!

-AC

Re:should not affect slashdot crowd (3, Funny)

EMR (13768) | more than 3 years ago | (#35059690)

When I first saw the site, I thought it was Plenty Offish :-D

Re:should not affect slashdot crowd (1)

DarkIye (875062) | more than 3 years ago | (#35059838)

Ha ha ha, ha ha ha, ha ha FUCKING HA.

makes sense (4, Insightful)

Charliemopps (1157495) | more than 3 years ago | (#35059260)

The "hacker" found a weakness in the websites security and exploited it. Then the website found a weakness in the hackers security and did the same in turn. You'd think the hacker in question would be a little more secure about their own personal information.

Re:makes sense (5, Funny)

SIR_Taco (467460) | more than 3 years ago | (#35059296)

What's worse, after his Mom reads the e-mail, she'll probably kick him out of the basement!

Re:makes sense (5, Funny)

pawntokingspawn (1305045) | more than 3 years ago | (#35059544)

and cancel his Warcraft subscription

Re:makes sense (1)

Gilmoure (18428) | more than 3 years ago | (#35059806)

Dang it!

Re:makes sense (1)

locallyunscene (1000523) | more than 3 years ago | (#35059332)

What "weakness in the hackers' security" are you referring to? The one where they gave them their names because they were trying to disclose a vulnerability? I wasn't aware searching for a name on Facebook was considered hacking now. Silly comment.

Re:makes sense (0)

ElectricTurtle (1171201) | more than 3 years ago | (#35059362)

Apparently you haven't heard of all the 'google hacks' ... searching for anything now seems to be considered hacking.

Re:makes sense (0)

Anonymous Coward | more than 3 years ago | (#35059720)

Pretty sure it was meant as a joke... you know like "I'm gonna tell your mom on you". Its funny because he still lives with his mom...he implying that his mom is a... you know what, nevermind. This joke is not for you.

Re:makes sense (2)

rvw (755107) | more than 3 years ago | (#35059354)

The "hacker" found a weakness in the websites security and exploited it. Then the website found a weakness in the hackers security and did the same in turn. You'd think the hacker in question would be a little more secure about their own personal information.

Disturbing! Finding his Facebook page is quite an impressive hack. Then emailing his mom - wow man - that will definitely scare him off. One hacker down!

Re:makes sense (1)

bemymonkey (1244086) | more than 3 years ago | (#35059534)

You should read the articles linked in the summary - quite an entertaining read. Chris Russo comes off looking like the victim, and the dating site (which appears to be the same to dating sites as blogs are to serious journalism) founder comes off looking like a complete jackass.

Re:makes sense (1)

Onymous Coward (97719) | more than 3 years ago | (#35060164)

The articles linked in the summary? The PoF blog says stuff like

On January 18th, after days of countless and unsuccessful attempts, a hacker gained access to Plentyoffish.com database. We are aware from our logs that 345 accounts were successfully exported. Hackers attempted to negotiate with Plentyoffish to âoehireâ them as a security team. If Plentyoffish failed to cooperate, hackers threatened to release hacked accounts to the press.

[Emphasis mine.]

It may be a while before a more objective view is sorted out.

That *was* the traditional penalty (5, Interesting)

billstewart (78916) | more than 3 years ago | (#35059602)

Back when Cheswick and Bellovin were doing the original Bell Labs firewalls, and caught a Dutch teenager trying to hack into their site, the Netherlands didn't have any computer security laws that made it illegal. "So we called his mom...."

oh dear (0)

Anonymous Coward | more than 3 years ago | (#35059262)

He is in trouble now, what a narq

Password in plaintext email (5, Interesting)

RobertB-DC (622190) | more than 3 years ago | (#35059308)

I was on the site for a while. It was always slightly clunky, but I'd prefer a free, one-man labor of love to a buy-in site that basically tries to promise sex for money. It was particularly helpful in helping me discover that I wasn't as bad as most of the creeps out there... and conversely, creepiness doesn't belong exclusively to those of the male persuasion. That was good to know -- it helped me realize that I need to be picky. (And my pickiness was rewarded many times over when I found my fiancee. In my Sunday School class).

But on the tech side, it irritated the living crap outta me that POF would send me a weekly e-mail with my password IN PLAIN TEXT. Every week, just as a reminder of how easy it would be to log in. Yeah, easy for *anyone* to log in as me and, if I were foolish enough to put important information on POF, to mess with my life. And, of course, if I were foolish enough to use that password for my bank account... well, I think anyone on this site knows the rest.

So I'm not at all surprised that someone found a way to hack POF. Sending a password in plaintext is bad, but not uncommon. Heck, T-Mobile does it. But sending it every week, unsolicited? I'm sorry to be rude, but that's just stupid.

Re:Password in plaintext email (5, Funny)

Anonymous Coward | more than 3 years ago | (#35059364)

And my pickiness was rewarded many times over when I found my fiancee. In my Sunday School class.

Please confirm that you weren't the teacher, and she's not a student in this class...

Re:Password in plaintext email (0)

Anonymous Coward | more than 3 years ago | (#35059428)

And my pickiness was rewarded many times over when I found my fiancee. In my Sunday School class.

Please confirm that you weren't the teacher, and she's not a student in this class...

Why does that matter? He didn't say 2nd grade Sunday school teacher.

Re:Password in plaintext email (1)

dumeinst (664891) | more than 3 years ago | (#35059978)

I wonder if anyone outside the South Eastern united states knows that there's 'Sunday School' for grown ups? I certainly didn't before I moved here!

Re:Password in plaintext email (1)

Unkyjar (1148699) | more than 3 years ago | (#35059764)

Hot cougar sunday school teacher action!

Re:Password in plaintext email (0)

Anonymous Coward | more than 3 years ago | (#35059996)

I was thinking it but wasn't going to post it :).

Re:Password in plaintext email (3, Interesting)

Anonymous Coward | more than 3 years ago | (#35059434)

I used POF, and found its interface to be absolute shit. I still get emails from them on a bi-weekly basis, with password still in plaintext (after noticing this the very first time I immediately changed it to something more appropriate to something emailed in plaintext). The guy who runs it makes like $1mil+ a month in ad revenue, so I don't really feel bad about his baby getting hacked when he has the money to hire someone with half a brain.

Re:Password in plaintext email (3, Funny)

religious freak (1005821) | more than 3 years ago | (#35059488)

Agreed. I've used it. And honestly I think online dating is the most efficient way to find someone you're compatible with. You have a list of people answering questions you wouldn't dare to ask them before you see them naked a few times (e.g. what religion are you, do you want to get married and/or just have fun) and you've got a whole list of them. Select your criteria, weed out the fatties and the uglies and email the rest. A couple of them respond, talk to them go on dates with a few and 'viola' - instant girlfriend and/or friend with benefits. It's beautiful. And like you said, most of the competition is just deadbeat dudes. Pretty easy to beat.

But as you also said, it's one dude's project and the interface... well, it kind of shows it. I'm not surprised they're hacked. But honestly, these dating services are generally public anyway, so if these sites are not hacked, they're definitely farmed. The way I look at it... fuck it. I'm looking for titties!

Re:Password in plaintext email (1)

CCarrot (1562079) | more than 3 years ago | (#35059568)

And like you said, most of the competition is just deadbeat dudes. Pretty easy to beat. [...] Select your criteria, weed out the fatties and the uglies and email the rest. [...] The way I look at it... fuck it. I'm looking for titties!

Hmmm...and your definition of a 'deadbeat dude' includes what, exactly?

The competition may be tougher than you think...

(and it's 'voila', not 'viola'. That would be a musical instrument, or a flower.)

Re:Password in plaintext email (2)

cayenne8 (626475) | more than 3 years ago | (#35059626)

"Hmmm...and your definition of a 'deadbeat dude' includes what, exactly?"

Apparently, just something as basic as having a job (especially one that doesn't include wearing a nametag saying 'Hi, my name is...') is a hard thing for women to find out there.

And apparently it is even harder to find men that not only have jobs, but have decent hygiene, wear decent clothes and have a personality greater than that of a small soap dish.

At least..that's what I hear from women out there. Having a job...really gets you ahead of a LOT of the crowd of guys out there on these things. I'd guess what I described above are some things that would describe a 'deadbeat dude'.

Re:Password in plaintext email (3, Funny)

danbert8 (1024253) | more than 3 years ago | (#35059746)

You know, I've heard this repeated so many times, but I can't even get a response from girls on dating websites despite not only having a job, but a well paying job. Yes, I'm a nerd, but still. You'd think I could at least get a response... I'm going to go cry into a wad of cash now.

Re:Password in plaintext email (2)

Gilmoure (18428) | more than 3 years ago | (#35059834)

Buy more dice.

Re:Password in plaintext email (3, Interesting)

cayenne8 (626475) | more than 3 years ago | (#35060020)

"You know, I've heard this repeated so many times, but I can't even get a response from girls on dating websites despite not only having a job, but a well paying job. "

Hmm....just how many girls on the websites are you approaching? You know, it is really a HUGE numbers game on the internet, maybe even more so than in real life meatspace.

Are you trying to contact 100's or more of women a week?

Make yourself out a basic 'template' of an email to use...with some spaces in there to maybe personalize your message a little bit...maybe to mention one specific thing you read about her (if you bother reading them, and don't go straight from looks). Anyway, use this basic 'canned' email and send it out over and over and over and over and...well, you get the idea. Heck, even send it to chicks you might not even be interested in, just to gage response. If it doesn't work...tweak it a little.

I actually heard some guys did the reverse engineering thing...they created a fictitious account as a chick, with good looking pics and all...just for the sole objective...of seeing what other guys were posting on their profiles, and the types of emails they were sending. Some guys doing this, even would have girls that were just friends, read what they guys were sending, just to see what they thought they as women would respond to.

The researchers used all this to tune their emails to women, and started getting a lot more response (of course, they STILL sent out 100's and 1000s of emails to women, but they were better quality emails.

Re:Password in plaintext email (0)

Anonymous Coward | more than 3 years ago | (#35059920)

Whoa there, my personality is greater than a MEDIUM size soap dish.

Thanks for the tip about a "job" though, I might have to look into that.

Re:Password in plaintext email (1)

religious freak (1005821) | more than 3 years ago | (#35059944)

Lol - I actually wrote this post in hurry, because I'm working (compile time, ya know ;-)

Point taken, but if lusting after boobs makes me a deadbeat, then I know I'm not alone! As one of the replies said, deadbeats are the guys that don't shower, work, or have manners.

Re:Password in plaintext email (0)

Anonymous Coward | more than 3 years ago | (#35059654)

And yes, I'm a geek :P

Re:Password in plaintext email (1)

aliquis (678370) | more than 3 years ago | (#35059682)

Select your criteria, weed out the fatties and the uglies and email the rest. A couple of them respond, talk to them go on dates with a few and 'viola' - instant girlfriend and/or friend with benefits.

Sadly enough the women seem to weed out the nerds living in their parents basement. So it doesn't work for me.

But a good idea .. For the successful ones, those greedy bastards who can already get one even out in the sun...

Probably contacted 10.000+, slept with 0. ;)

(Probably three possibilities though, but that doesn't count (fat by European standards.))

Re:Password in plaintext email (0)

Anonymous Coward | more than 3 years ago | (#35060090)

Go to your local community college and sign up for a writing class. Your writing is painful to read and difficult to understand. Maybe you'd get a better response rate if women could understand what you were trying to say.

Re:Password in plaintext email (1)

jd (1658) | more than 3 years ago | (#35059826)

The creating an account page was broken when I tried the site, the tech support sent abusive mail, so I now regard them as a bunch of juveniles. A dating site that is actually usable has to be their first priority, competent and friendly tech support needs to be their next.

Re:Password in plaintext email (5, Funny)

Whalou (721698) | more than 3 years ago | (#35059564)

[...]I'd prefer a free, one-man labor of love[...]

So you don't date? :-P

Re:Password in plaintext email (1)

moeluv (1785142) | more than 3 years ago | (#35059802)

I wish I had a mod point for you sir. First good laugh I've had all day.

Re:Password in plaintext email (1)

Sam36 (1065410) | more than 3 years ago | (#35059590)

amen!

Re:Password in plaintext email (2)

tokul (682258) | more than 3 years ago | (#35059656)

Sending a password in plaintext is bad, but not uncommon.

If site can email you your password, it is not just bad. It is sign of fscked up security. The only way of knowing your password is to store it in plain text or in some automatically decypherable form. If site sends you your passwords, you should ask them why password hashes are not used.

Re:Password in plaintext email (1)

smooth wombat (796938) | more than 3 years ago | (#35059774)

I didn't mind the interface. It was nice to see something simple. However, I left when he became more like Facebook in that to read any message you had to supply information such as your income level, occupation, and related matters.

While you could falsify the stuff, the problem came in when it was discovered that when you did a search, your results were based on what was on your profile. So if you said your salary was $100K, then whatever programming was done on the backside would limit your results to people who had a salary range of $80K - $110K, for example. Someone who made $50K would not be included. Markus himself said that this was done because (paraphrasing) like follows like.

You could bypass this by doing a generic search from the main page without logging in but that shouldn't have had to be done.

There were other issues that I finally threw in the towel (to paraphrase another poster on here, "Moo!") but overall it was because in my area, there was very little selection. I'm not overly picky, but when you talk about how badly you were treated in the past or you don't take shit from anyone, I'll keep walking.

Re:Password in plaintext email (0)

Anonymous Coward | more than 3 years ago | (#35060082)

how badly you were treated in the past

Those girls usually give the best sex, they usually are into anything if you project that you love them. I had many rim-job that way

Re:Password in plaintext email (1)

asdfghjklqwertyuiop (649296) | more than 3 years ago | (#35060118)

So if you said your salary was $100K, then whatever programming was done on the backside would limit your results to people who had a salary range of $80K - $110K, for example. Someone who made $50K would not be included.

The results would limit to other people who *themselves* made $80-110K, or to people who *wanted someone else* who makes $80-110K?

Re:Password in plaintext email (1)

madhurms (736552) | more than 3 years ago | (#35059964)

But sending it every week, unsolicited?

POF actually emails you DAILY with list of matches. Yeah, the latest email (sent on Jan 30) still includes password in plain text.

Torrent? (0)

Anonymous Coward | more than 3 years ago | (#35059372)

Post torrent to the data or it didn't happen! (too soon?)

Your mom... (4, Funny)

meerling (1487879) | more than 3 years ago | (#35059376)

So an immature but technically competent jerk cracked you computers and is now trying to get your companies lunch money, metaphorically. Your response is, among other things, to tell his mom.
O_o
You know, that sounds about right.

Re:Your mom... (1)

jd (1658) | more than 3 years ago | (#35059846)

Strange. I thought it sounded more like a line from Regular Show.

Not surprised (1)

Zexarious (691024) | more than 3 years ago | (#35059392)

Not surprised that site got hacked and is full of incompetent developers and people. If you go there every other sentence has some huge grammatical error in it. The guy running it is completely illiterate. The design is horrible too. I'm sure nobody there knows what's going on at all! Who uses MSSQL?!? Get for real. I thought it was funny that the sentence 'there is a serial killer murdering people from the website' was said all non-nonchalantly in the article.

Re:Not surprised (2)

Anonymous Coward | more than 3 years ago | (#35059666)

...If you go there every other sentence has some huge grammatical error in it. The guy running it is completely illiterate.... Get for real.

Those who live in glass houses shouldn't throw stones, wouldn't you say? Your grammar is not exactly tip top yourself... What the hell does "Get for real" mean, I mean, in a proper english sense.

Re:Not surprised (1)

RightSaidFred99 (874576) | more than 3 years ago | (#35059922)

Who uses MSSQL?!?

Lol. Professionals? I suppose instead they should use some open source DB? You _totally_ know what you're talking about, dude.

Re:Not surprised (4, Insightful)

Joe U (443617) | more than 3 years ago | (#35059930)

Who uses MSSQL?!?

The same groups that use Oracle and Sybase. People who care about database performance and support.

Re:Not surprised (2)

Zexarious (691024) | more than 3 years ago | (#35060116)

Is that why we're commenting on a story about how that thing got hacked in like 4 seconds by some argentinian guy and his mom?

Sorry to hear that your grammar died. (0, Troll)

Anonymous Coward | more than 3 years ago | (#35059950)

Here is an *incomplete* list of corrections:

"Not surprised that site got hacked and is full of incompetent developers and people."
should be:
"I'm not surprised that the site got hacked, and is run by incompetent developers and people."
---
"If you go there every other sentence has some huge grammatical error in it."
should be:
"Every other sentence on the site contains a huge grammatical error."
(I'm guessing that you didn't really mean that the grammatical errors are conditional, and only appear when you go to the site.)
---
"The design is horrible too."
should be:
"The design is horrible, too."
---
"Get for real."
I believe the phrase you're looking for is:
"Get real."
---
"I thought it was funny that the sentence 'there is a serial killer murdering people from the website' was said all non-nonchalantly in the article."
should be:
"I think it's funny that he so nonchalantly wrote, "... there was a serial killer, murdering people from the website."
or probably more appropriately, leave the quote out:
"I think it's funny that he so nonchalantly mentioned that there was a serial killer murdering his users."

What I would like to know... (1)

benjymouse (756774) | more than 3 years ago | (#35059394)

How would a "security researcher" know that a SQL injection bug was being actively exploited if he just uncovered the bug himself?

This sounds a bit odd as using a SQL injection to expose the users' details would require you to deliberately manipulate querystring parameters or form fields. The results will display in your own browser. How would he know whether anyone else were doing this? Was it because he really didn't uncover it himself but found the 30.000 users' details somewhere else?

No, this sounds a lot more like someone mildly proficient (you can use automated tools to find SQL injections so this is just one level above script kiddie) found a bug and wanted to capitalize on it. To underline the seriousness he embellished a little on the "being actively exploited".

I take it that POF has server logs and that they can tell from those whether anyone else exploited the bug.

Re:What I would like to know... (1)

arth1 (260657) | more than 3 years ago | (#35059450)

We only have the site owner's word for the claim that the hacker claimed it was actively exploited.

Does this web site operator really strike you as the most trustworthy of characters?
(Not that we have any reason to trust Mr. Russo either -- that's the point, it doesn't have to be black and white.)

Take a step back and look at the few things we DO know:
- The site employed poor security practices
- The site was hacked
- The hacker contacted the site owner

Anything beyond this is at this point hearsay.

Re:What I would like to know... (2)

Ash Vince (602485) | more than 3 years ago | (#35059928)

We only have the site owner's word for the claim that the hacker claimed it was actively exploited.

Does this web site operator really strike you as the most trustworthy of characters?
(Not that we have any reason to trust Mr. Russo either -- that's the point, it doesn't have to be black and white.)

Take a step back and look at the few things we DO know:
- The site employed poor security practices
- The site was hacked
- The hacker contacted the site owner

Anything beyond this is at this point hearsay.

Conducting unrequested and unauthorised penetration testing is a criminal offence, and that should always be the case. Otherwise you could have too many people who get caught hacking and then just hide behind the excuse that they were just doing some penetration testing and were going to notify the site owners if they found anything.

The reality is that a large number of sites out there have vulnerabilities as not every site can afford to have their site penetration tested on a regular basis. Coders can do their best but they are only human, and hence they occasionally make mistakes. It only takes a single mistake made on a Friday afternoon while the office was winding down and you can be vulnerable.

Not every business model can support the profit margins needed to support expert code reviews and penetration testing of every new release, especially while the entire economy shrinks and both companies and the public have less money to spend. Since creating an absolutely secure site is both very expensive and often not entirely understood by management it is a very easy corner to cut.

Hacking a site you have nothing to do with and then contacting the owner to offer your security services in return for payment is a little too close to extortion for my liking.

Re:What I would like to know... (1)

Stiletto (12066) | more than 3 years ago | (#35060092)

The reality is that a large number of businesses out there do not have front doors, or keep their doors wide open, as not every business can afford to have their office facilities penetration tested on a regular basis. Maintenance staff can do their best but they are only human, and hence they occasionally make mistakes. It only takes a single mistake made on a Friday afternoon while the office was winding down and you can be vulnerable.

Not every business model can support the profit margins needed to purchase doors, close them, and lock them, and penetration testing of every building entry and exit, especially while the entire economy shrinks and both companies and the public have less money to spend. Since creating an absolutely secure facility is both very expensive and often not entirely understood by management it is a very easy corner to cut.

Re:What I would like to know... (1)

dmesg0 (1342071) | more than 3 years ago | (#35059530)

What he says is that this kind of vulnerability is actively exploited by hackers, not necessarily on this particular site. It's not something very specific to the site, but a common technique, so the site is under very high risk.

He's done more than you have, big talker (-1)

Anonymous Coward | more than 3 years ago | (#35059750)

"No, this sounds a lot more like someone mildly proficient (you can use automated tools to find SQL injections so this is just one level above script kiddie) found a bug and wanted to capitalize on it. To underline the seriousness he embellished a little on the "being actively exploited". - by benjymouse (756774) on Monday January 31, @02:24PM (#35059394)

You, by way of comparison? You sound a lot more like someone mildly "armchair quarterback" jealous, in my estimation!

So - What have YOU ever done that contributed anything to the realm of security as Mr. Russo did??

APK

P.S.=> Lot of "big talkers" & "armchair QB critics" around here on /., and I have YET to see any of "your kind" show you've actually done ANYTHING worth noting in the computer sciences.

Don't LIKE that? Well - Consider this your opportunity to prove me wrong then!

(You won't & can't, I strongly wager. I say that, because I have been around here, actively, since 2004 & have YET to see that from "your kind" (big talkers, but done nothing noteworthy & good in the eyes of others, especially in publications in this art & science of computing) that critique others' findings as you have, putting them down as you did, do better)... apk

sounds like extortion, assuming the email is legit (2)

seifried (12921) | more than 3 years ago | (#35059410)

Assuming the Plentyoffish guy isn't lying (a definite possibility): http://plentyoffish.wordpress.com/2011/01/31/plentyoffish-hacked/ [wordpress.com] states:

They then start talking about money because they need to incorporate a company that can deal with companies outside of Argentina and that will cost $15,000. They also needed to know if they were going to make over $100k/year or 500k/year as that would require different registrations

I just looked it up online and found no mention of needing different incorporation types for dealing with customers only in Argentina vs. external to Argentina, The highest fee I found online (although I'm sure there are companies willing to charge more) was USD $1760 to form a "Sociedad Anónima" vs. USD $1370 to form a "Sociedad de Responsabilidad Limitada" (sounds like a standard Limited Liability Corporation, but I'm not an Argentine business lawyer so I could be wrong), far short of the $15,000 they are asking for.

Re:sounds like extortion, assuming the email is le (1)

Zerth (26112) | more than 3 years ago | (#35059532)

If I got an email that looked like:

Hi, I'm a security researcher from Buenos Aires, Argentina.

The Last Friday 21 of Januray, we discovered a vulnerability in www.plentyoffish.com exposing users details, including usernames, addresses, phone numbers, real names, email addresses, passwords in plain text, and in most of cases, paypal accounts, of more than 28,000,000 (twenty eight million users). This vulnerability was under active explotation by hackers.

I'd assume it was somebody trying to scam me.

Re:sounds like extortion, assuming the email is le (0)

Anonymous Coward | more than 3 years ago | (#35059674)

Assuming the Plentyoffish guy isn't lying (a definite possibility): http://plentyoffish.wordpress.com/2011/01/31/plentyoffish-hacked/ [wordpress.com] states:

I'm not sure if he's telling the truth, but I am sure we'll need to wait until the paranoid cocaine binge he was on when writing that is over to find out.

Hyphens (3, Funny)

Barefoot Monkey (1657313) | more than 3 years ago | (#35059442)

I realise that this is somewhat off-topic, but it can't be a good idea to have a dating site with a domain name that reads as "plenty offish". When will people learn to use hyphens in domain names?

Re:Hyphens (5, Insightful)

arth1 (260657) | more than 3 years ago | (#35059562)

Ask the good people at penisland, expertsexchange and powergenitalia that :)

Re:Hyphens (1)

Stregano (1285764) | more than 3 years ago | (#35059698)

LOL, I know about experts-exchange since I have been there, but the other 2 I can't figure out outside of the awesomeness that they are in this context

Re:Hyphens (2)

arth1 (260657) | more than 3 years ago | (#35059738)

Yes, expertsexchange.com wisely changed their name to experts-exchange.
I'm not sure whether pen-island and powergen-italia.it have done the same. :)

Re:Hyphens (1)

jd (1658) | more than 3 years ago | (#35059904)

Why bother with hyphens? plenty.of.fish doesn't use any more characters and is arguably more readable. Yes, it means you have to worry about "fish" being taken, but fish.co is currently listed as available (it's a parked address) so plenty.of.fish.co would be a perfectly good registration. For now.

The main benefit of having it done like this is that whoever owns fish.co can resell names from that without conflicting with their own site. You can't really do the same with offish.com.

Re:Hyphens (1)

SockPuppetOfTheWeek (1910282) | more than 3 years ago | (#35059968)

The main benefit of having it done like this is that whoever owns fish.co can resell names from that without conflicting with their own site.

Then the owner of "fish.co" notices that "plenty.of.fish.co" is getting a ton of hits, and decides the fee just quadrupled for the "plenty.of." subdomain he's been renting to you...

Enabling cyber-squatting isn't a "benefit".

Plenty of Fish was never secure (2)

Japong (793982) | more than 3 years ago | (#35059446)

Tried Plenty of Fish for a shortwhile - as a default, the service will mail 'new matches' to the email account you registered with every few days. These emails contain a a plain-text version of your password (which essentially reads as "Remember, your password is :XXXX123").

It's not entirely surprising that the site had its security compromised.

Re:Plenty of Fish was never secure (1)

Digicrat (973598) | more than 3 years ago | (#35059728)

Indeed.

No secure site should even have the ability to read your plaintext password from the database, let alone email it to you on a regular basis. The only (potentially) secure password database is the one that's encrypted with a one-way hash.

Re:Plenty of Fish was never secure (1)

sorak (246725) | more than 3 years ago | (#35059892)

As a side, when gawker got hacked, they had the one-way hash, and either no salt, or a known/guessable salt. Simple passwords have still been discovered, via a dictionary attack. So, you were right to put (potentially) in there.

Before commenting, read Russo's response. (0)

Anonymous Coward | more than 3 years ago | (#35059528)

n/t

Who's winning/losing (0)

Anonymous Coward | more than 3 years ago | (#35059538)

On most stories like this I think, hey, the bad guys are winning, because they're top-notch hackers. In this story, I'm thinking, hey, the stupid guys are losing, because they're really stupid.

The security reasearcher's story (1)

wiredog (43288) | more than 3 years ago | (#35059554)

here [krebsonsecurity.com] .

I bet PoF used double Rot-13 encryption.

Re:The security reasearcher's story (1)

suso (153703) | more than 3 years ago | (#35059926)

I bet PoF used double Rot-13 encryption.

Wow, that sounds like a very secure algorithm, where can I get it?

Markus' Email to Chris Russo (4, Interesting)

Japong (793982) | more than 3 years ago | (#35059598)

Quoted from Russo's response:

If this data goes public I am going to email every single effected user on Plentyoffish your phone number, email address and picture. And tell them you hacked into their accounts.

Then i'm going to sue you In Canada, US and UK and argintina. I am going to completely destroy your life, no one is ever going to hire you for anything again, this isn't piratebay and we definately aren't fooling around.

Markus.

Re:Markus' Email to Chris Russo (1)

royallthefourth (1564389) | more than 3 years ago | (#35059946)

I'm sure Chris Russo's attorney would have quite a fun time talking about the libel were Markus to actually sue after doing such a thing.

Re:Markus' Email to Chris Russo (1)

papasui (567265) | more than 3 years ago | (#35060048)

Not really libel if he actually did it. Just sayin.

Re:Markus' Email to Chris Russo (0)

Anonymous Coward | more than 3 years ago | (#35060034)

Hmm. Perhaps 4chan needs to intercede on that fuckwit markus.

Re:Markus' Email to Chris Russo (1)

papasui (567265) | more than 3 years ago | (#35060102)

In summary, if you act like a fucktard to the wrong people, they might do bad things to you. Karma

Aren't all Dating sites more or less hacked? (1)

McNihil (612243) | more than 3 years ago | (#35059622)

Who in their right mind believes anything on plentyoffish.com, match.com, date.com, cupid.com, eharmony.com... All they are optimized to do is to increase the likelihood NOT to find the correct partner so as to get as much free money as possible. Not doing it this way would be an epic loss of opportunity from a business point of view.

Re:Aren't all Dating sites more or less hacked? (0)

Anonymous Coward | more than 3 years ago | (#35059766)

That's pretty much bullshit. The polished sites like match.com work quite well if you're willing to be honest, put in some time, and go on more than a few dates. That's how I met my fiancee.

If a pay service *never* worked the word would spread around pretty quickly.

Re:Aren't all Dating sites more or less hacked? (1)

Chalex (71702) | more than 3 years ago | (#35059772)

First, OKCupid is free. Second, what you're saying is that car manufacturers should sell us cars that break down after a year so that we're forced to buy new working cars? That's not how it works.

Re:Aren't all Dating sites more or less hacked? (2)

morari (1080535) | more than 3 years ago | (#35059882)

Second, what you're saying is that car manufacturers should sell us cars that break down after a year so that we're forced to buy new working cars? That's not how it works.

Actually, I'm pretty sure that is how it works. Cars are not terribly reliable contraptions, and purposefully so.

huh? (0)

Anonymous Coward | more than 3 years ago | (#35060022)

Second, what you're saying is that car manufacturers should sell us cars that break down after a year so that we're forced to buy new working cars? That's not how it works.

Actually, I'm pretty sure that is how it works. Cars are not terribly reliable contraptions, and purposefully so.

...looks out at twelve-year-old car in parking lot...

Maybe you're not holding it right.

Seriously, I own two cars, one is 12 years old, the other is 10 years old. Both run and drive like new.

Re:Aren't all Dating sites more or less hacked? (2)

BBTaeKwonDo (1540945) | more than 3 years ago | (#35060142)

As a general rule, cars have been getting more and more reliable every year. They don't make them like they used to, and that's a good thing. Are there still preventable defects in cars? Sure, but they're getting fewer and farther between.

Re:Aren't all Dating sites more or less hacked? (1)

Anonymous Coward | more than 3 years ago | (#35059888)

That's not how it works.

Unfamiliar with the term planned obsolescence?

NEW HIGH SCORE! (1)

GameboyRMH (1153867) | more than 3 years ago | (#35059854)

This breaks the previous record for the most logins compromised at once by a factor of 3 (beating Trapster's 10 million)

They contacted me this afternoon... (1)

Burnhard (1031106) | more than 3 years ago | (#35059856)

They've changed all passwords due to the attack (I got a fresh, random one). I have a vague worry that my email address will turn up somewhere I don't want it to, but apart from that there's no other useful personal information on my profile, which, when I come to think of it is kind-of ironic for a dating site :p.

Bad Title (3, Insightful)

Galestar (1473827) | more than 3 years ago | (#35060000)

He didn't email the hacker's mother, he emailed the security researcher's mother. Some unknown party hacked his website, and he blames the security researcher that was going out of his way to assist them in closing the vulnerability. After reading the researchers take on this, POF CEO could possibly be facing criminal charges for uttering death threats, harassment and perhaps a civil libel suit.

PlentyofFish.com Hacked, Blames Messenger (2)

Qlither (1614211) | more than 3 years ago | (#35060084)

*Headline taken from : http://www.krebsonsecurity.com/

A much easier headline.

Despite the term hacker not defining whether good or bad, instead only indicating circumvention of computer security. It has been used so virally in the media, that it now tends to infer that a malicious hack was carried out. In short the headline "PlentyofFish Hacked Founder Emails Hackers Mom"seems to suggest that the founder of PlentyofFish had found the person who breached his servers and then emailed their mother. However that is not the case.

https://secure.wikimedia.org/wikipedia/en/wiki/Hacker

Markus is acting like a bureaucrat... (1)

moronikos (595352) | more than 3 years ago | (#35060152)

I have an account. I logged in some time last week and it said my password had expired and I needed to change it. The change screen was sort of crappy and I was able to "reset" my password to the old password. If the rat b@st@rd had said "we've been hacked and you need to change your password", well, I would have changed my password to something else. But, just a simple expiration? Well, really not a reason to change my password.

Bureaucrats get caught with their pants down, don't come clean for a while, and then they go and blame everyone else for their screw ups.

Markus, take a hint. Don't send people's passwords to them in an e-mail once or more a week. Geez... Now, I do have a reason to change my password.

gas station (1)

papasui (567265) | more than 3 years ago | (#35060176)

There's a gas station by my house that likes to to put the names of people that bounced checks along with all their contact info on a great big billboard for the entire city to see. It's pretty entertaining.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...