http://arstechnica.com/security/2012/06/eharmony-confirms-member-passwords-compromise/ By Dan Goodin ars technica June 6 2012 Online dating site eHarmony has confirmed that a massive list of passwords posted online included those used by its members. "After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected," company officials said in a blog post published Wednesday evening. The company didn't say what percentage of 1.5 million of the passwords, some appearing as MD5 cryptographic hashes and others converted into plaintext, belonged to its members. The confirmation followed a report first brought by Ars that a dump of eHarmony user data preceded a separate dump of LinkedIn passwords. eHarmony's blog also omitted any discussion of how the passwords were leaked. That's unsettling, because it means there's no way to know if the lapse that exposed member passwords has been fixed. Instead, the post repeated mostly meaningless assurances about the website's use of "robust security measures, including password hashing and data encryption, to protect our members’ personal information." Oh, company engineers also protect users with "state-of-the-art firewalls, load balancers, SSL and other sophisticated security approaches." The company recommended users choose passwords with eight or more characters that include upper- and lower-case letters, and that those passwords be changed regularly and not used across multiple sites. This post will be updated if eHarmony provides what we'd consider more useful information, including whether the cause of the breach has been identified and fixed and the last time the website had a security audit. [...] -- We're in a bit of a budget crunch, Help InfoSec News with a Donation http://www.infosecnews.org/donate.htmlReceived on Thu Jun 07 2012 - 00:58:42 PDT
This archive was generated by hypermail 2.2.0 : Thu Jun 07 2012 - 00:53:01 PDT