The Canadian creator of one of the world’s biggest online dating sites says Plenty of Fish has been hacked and the passwords of users have been compromised.
In a bizarre, rambling blog post that hints at alleged extortion, death threats and demands from “Russians,” CEO Markus Frind says Plenty of Fish was hacked last week, adding he’s had several sleepless nights while security gaps were filled.
Frind believes emails, usernames and passwords were downloaded during an “incredibly well planned and sophisticated attack,” which he alleges was perpetrated by Argentinian Chris Russo, who last year claimed responsibility for hacking the Pirate Bay, a site which allows users to illegally download music and movies.
“On Jan. 18, after days of countless and unsuccessful attempts, a hacker gained access to Plentyoffish.com database. We are aware from our logs that 345 accounts were successfully exported,” states Frind’s blog.
“The Plenty of Fish team had spent several days testing its systems to ensure no other vulnerabilities were found. Several security measures, including forced password reset, had been imposed. Plentyoffish is bringing on several security companies to perform an external security audit, and will take all measures necessary to make sure its users are safe.”
On the Plenty of Fish blog, Russo has claimed that he was simply trying to inform administrators about flaws in the site. He also said he was open to working for the dating site as a security consultant.
Frind did not respond to interview requests but said in a brief email “I don’t want to say to much more about it. The kid is clearly crazy.”
Launched in 2003 in Vancouver, Frind has almost single-handedly grown the free dating website into a massive online enterprise with 28 million users. It’s ranked within the top 100 websites in the U.S. and U.K. by web tracking company Alexa, and is about 40th in Canada.
Dave Evans, a consultant and analyst who follows the online dating industry, said the fact that Frind does so much of the site’s work himself may have caught up with him.
Users have long complained that the site was not encrypting passwords sent through email, which represented a major security risk.
“Here’s a self-made millionaire who’s a total hardcore geek and has built most of the site himself,” said Evans, who runs Online Dating Insider,“ but yet hasn’t spent evidently any time on securing passwords, which to me is just like, talk about leaving the keys to the kingdom outside the moat.”
“The fact that it wasn’t done, to me, I almost call it a lack of respect for your members.”
Some users on the site’s forums were also complaining on Monday that Frind has only been forthright with the security issue on his blog and not on the Plenty of Fish home page.
“The site owner didn’t think it was important to notify the users … but did find it important enough to go off on a crazed diatribe on his personal blog,” posted user fnord.
“Despite claiming to have plugged the security hole, Plenty of Fish is still sending out passwords in plain text, which is just this side of just posting them on the Internet for everyone to see.”
“Email is unencrypted plain text and can be sniffed and compromised very easily,” added user QuasarDJ.
“I have grave concerns about the security of my personal information on the Plenty of Fish site and I’ve yet to see even the most simple updates to guard against these problems.”
Markus Frind’s Plenty of Fish blog: http://bit.ly/h4IND9