Home > Computing > Plentyoffish hacker Chris Russo infiltrates…

Plentyoffish hacker Chris Russo infiltrates eHarmony, user data stolen

plentyoffish-hacked-chris-russo-eharmony-hackPopular dating site eHarmony.com has been hacked, according to Brian Krebs of security news site KrebsOnSecurity.com, who informed the company of the breach. Users of the site have been notified to change their passwords in an effort to curb the consequences of the attack.

Krebs says the man responsible is none other than Argentina-based “security researcher” Chris “Ch” Russo — the same person who recently cracked into eHarmony competitor Plentyoffish.

Russo told Krebs that he had discovered eHarmony’s vulnerability late last year, but had said that he had “hit a brick wall in his research.” Roughly a week ago, however, Krebs says he heard from “a source in the hacker underground” that eHarmony had been hacked.  After some research, Krebs discovered a post on hacker site Carder.biz, submitted by user “Provider,” which offered eHarmony user data for $2-3,000. Russo initially said he knew nothing about the illegal data sale, but later conceded that an “associate” of his may have been responsible.

Chief technology officer for eHarmony, Joseph Essas,  told Krebs that Russo discovered an SQL injection vulnerability, which gave him access to user data, including “screen names, email address, and hashed passwords. But added that they had “found no evidence to suggest that Russo has successfully compromised at the network level our corporate email and eHarmony site environments.”

Essas added that Russo had approached eHarmony to offer them security services to fix the flaws in their system. Needless to say, eHaromony declined.

“Russo’s fraudulent efforts to obtain money from us are most disturbing,” Essas told Krebs. “As such, we are exploring our legal rights and remedies as well.”

Plentyoffish CEO Markus Frind reported a similar extortion attempt by Russo.

Given these two instances, it’s difficult to determine Russo’s intentions. Are they merely foolish extortion attempts, or is he genuinely trying to offer his security services? (Which, in the way he’s conducting business, would seem equally foolish.)

Regardless, he certainly is making a name for himself — and a bad one at that.