BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

eHarmony confirms its members' passwords were posted online, too

From: security curmudgeon <jericho () attrition org>
Date: Thu, 7 Jun 2012 00:51:59 -0500 (CDT)

http://arstechnica.com/security/2012/06/eharmony-confirms-member-passwords-compromise/

eHarmony confirms its members' passwords were posted online, too
Vague post leaves unanswered questions about dump of 1.5 million 
passwords.
by Dan Goodin - Jun 7, 2012 3:00 am UTC

Online dating site eHarmony has confirmed that a massive list of passwords 
posted online included those used by its members.

"After investigating reports of compromised passwords, we have found that 
a small fraction of our user base has been affected," company officials 
said in a blog post published Wednesday evening. The company didn't say 
what percentage of 1.5 million of the passwords, some appearing as MD5 
cryptographic hashes and others converted into plaintext, belonged to its 
members. The confirmation followed a report first brought by Ars that a 
dump of eHarmony user data preceded a separate dump of LinkedIn passwords.

eHarmony's blog also omitted any discussion of how the passwords were 
leaked. That's unsettling, because it means there's no way to know if the 
lapse that exposed member passwords has been fixed. Instead, the post 
repeated mostly meaningless assurances about the website's use of "robust 
security measures, including password hashing and data encryption, to 
protect our members. personal information." Oh, company engineers also 
protect users with "state-of-the-art firewalls, load balancers, SSL and 
other sophisticated security approaches."

[..]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.
Previous By Date Next
Previous By Thread Next

Current thread: