Dating Site eHarmony Loses Passwords in LinkedIn Breach
CREDIT: eHarmony, Inc.
UPDATE: Password-management company LastPass has gotten its hands on the eHarmony password file and created a webpage where you can check to see if your eHarmony password was compromised.
Dating website eHarmony was forced to reset the passwords of some of its members after they were compromised. The security snafu came the same day that a hacker leaked more than 6.4 million LinkedIn passwords.
"After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected," eHarmony spokeswoman Becky Teraoka wrote in a blog post yesterday (June 6). "As a precaution, we have reset affected members' passwords. Those members will receive an email with instructions on how to reset their passwords."
It is unclear how many passwords were compromised. An email to eHarmony seeking comment was not immediately returned.
According to CNet, the eHarmony password breach was tied into the LinkedIn password breach, which was discovered earlier in the day after a hacker asked for help decrypyting the LinkedIn passwords and pointed to a file on a Russian file-hosting service.
The words "eHarmony" and "harmony" were "referenced in a separate list that was reportedly posted online," CNet wrote.
Tech site Ars Technica reported that the same hacker who had asked for help with cracking the LinkedIn passwords had previously posted a list of approximately 1.5 million passwords. It was that list that contained many passwords referencing eHarmony, though it's not clear if the list consisted only of eHarmony passwords.
By the end of the day Tuesday, Ars Technica said, all but 98,000 of the 1.5 million password hashes on the smaller list had been cracked.
As a result of the breach, eHarmony advised all its members to create strong passwords, change them frequently and use different passwords for each website they log into.
The dating site assured its users that it uses "robust security measures, including password hashing and data encryption, to protect members' personal information."
Security researcher Matt Blaze used Twitter to scoff at eHarmony's assurances, comparing it to a "security PR bingo" game he helped create to point out how online companies weasel out of accusations that their security is not strong enough.
Both LinkedIn and eHarmony encrypt, or "hash," member passwords, but until yesterday neither "salted" the hashes with random data. Without salting, it's fairly easy for skilled hackers with consumer-grade computers to crack the encryption.
"We also protect our networks with state-of-the-art firewalls, load balancers, SSL and other sophisticated security approaches," the eHarmony blog posting told members, listing commonplace features that are about as optional for websites as brakes and tail lights are for cars.