eHarmony confirms breach around 1.5M passwords stolen

Hot on the heels of the LinkedIn passwords data swipe, the online dating website eHarmony is the latest website to confirm that "a small fraction" of member passwords have been stolen and leaked to the wild.

The passwords, like LinkedIn, are also secured using SHA1 encryption which can be broken eventually as evidenced in the latest update for the LinkedIn breach, which is already showing user accounts being used to send spam emails.

eHarmony corporate communications manager Becky Teraoka said in a statement:

After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected. We are continuing to investigate but would like to provide the following actions we are taking to protect our members...

Teraoka added that a password reset has already taken place on the affected accounts, some 1.5 million according to SlashGear, which could save a little embarrassment for those people affected.

eHarmony also advised customers to update their password to “at least 8 characters, composed of lowercase and uppercase letters, numbers and symbols.” and added not to use the same password on different sites as well as advising to update it every few months.

The company didn't say how the passwords were acquired.

Source: SlashGear | Image: SlashGear

Report a problem with article
Previous Story

NVIDIA drops the ball on Windows 8 RP driver release

Next Story

Facebook to the rescue - of a dog, with a jar on its head

22 Comments

Commenting is disabled on this article.

I hope other companies are noticing and doing what they can to secure SHA1 passwords. Cause my guess is...it's the same person doing all of this.

texasghost said,
I hope other companies are noticing and doing what they can to secure SHA1 passwords. Cause my guess is...it's the same person doing all of this.

The worring part is, these companies have only confessed or acknowledged a breach after the hackers start to post the information on public websites for everyone to oogle at. I'm sure there are many sites that have hackers in their site, dorment waiting until they need information from the site.
Imagin this, you're a high profile hacker and offer your services to the highest bidder. Not to hack sites, but to provide undisclosed information on a person. Having several sites you can run a quick search and bring up interesting results on can be very valuable, sometimes more so then committing fraud on credit card details etc.

An example would be someone wants all the dirty secrets about one of the UK's PMs. David cameron, they goto the hacker and they fun a quick search. comes back with all his linkedin profile data, his messages. eharmony search result unexpectenly comes up too. What this, Mr Cameron has been playing away from home with the girls next door? Thats some prime (excuse the pun) blackmail or something that can be used to simply distroy his leadership in the government of the UK.

Othertimes, hackers could use it to their advantage. Fancy a new apple mac book? sure thing, the hackers sitting in Apple's store simply create their own discount code, order up, ship off and then erase that it ever happened.

So.. to the peoples who's passwords didn't get stolen, that's kind of sucky in a way. It means even the hackers don't want anything to do with you

I wish more sites would move to triple authentication (some sort of authenticator or security question). It seems to be the best way to go right now.

xWhiplash said,
I wish more sites would move to triple authentication (some sort of authenticator or security question). It seems to be the best way to go right now.

If these sites that are getting hacked can't protect your password, do you really think they're going to bother even hashing your security question/answer... and even if they did, those 'questions' are often weaker then a password thanks to social media these days.

Does the US not have a regulator for this kind of stuff? I know that in the UK we have the Information Commissioner's Office (ICO) that will often fine companies for data breaches like this.

No. The Companies own the Government here. They are allowed to do whatever they want. A verbal scalding is all they will get, and we will get more SOPA type bills.

So...with eHarmony's users password stolen, their accounts will be hacked and be filled with even MORE incorrect information and half-truths. I see no problem here.

Question
They say to update password with 8 characters and other complex characters, but if it is simply SHA1 encryption, the password will get cracked no matter how strong it is, isn't it? Or am I missing some new security thinggy they implementing?

PS: I didn't have an account there so nothing to worry about just a curiosity.

cork1958 said,
Sheesh!!

Who's running and working at these companies, third graders?

It would seem that way, however, what this does demonstrate is how little these companies care about the safety of their users data. It's all about making $$$ and sadly spending money to protect their users data doesn't tend to be high up on their to do list (being an area that spends rather the makes money, they tend to cut corners). This is obviously an over generalization but you get the idea.

mrbester said,
Indeed. Saying it is "a small fraction" is laughable. Any fraction, no matter the size, is too large.

no matter the size, is too large? that's what she said

Neobond said,
I lol'd

Always a little risky poking the owner of the site

You hope he knows you do it because you love him, but if he doesn't, you hope he's gentle with you