eHarmony Reveals Breach

Hashed Passwords Likely Exposed
eHarmony Reveals Breach

The online dating website eHarmony has warned a "small fraction" of its users of a June 6 breach that likely exposed hashed passwords associated with online accounts.

See Also: Ransomware: The Look at Future Trends

According to the online technology website ArsTechnica, about 1.5 million of the unsalted hashes linked to plaintext passwords that have been cracked so far appear to belong to users of eHarmony. The site goes on to say that at least 420 of the passwords contain the strings "eharmony" or "harmony."

The breach comes on the heels of the LinkedIn compromise that may have exposed nearly 6.5 million hashed passwords associated with the social network's accounts (see LinkedIn Confirms Password Breach). Whether the two breaches are related has not yet been confirmed.

The eHarmony site, which has more than 20 million registered users, posted a blog June 6 about the compromise.

"After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected," the blog states. The company is continuing its investigation.

As a precaution, eHarmony says it has automatically reset passwords for affected members. The site says it's directly notifying those members via e-mail with additional instructions.

Linked Events?

Graham Cluley, a senior technology consultant at Sophos who blogged about the eHarmony and LinkedIn breaches, believes the timing of the leaks is no coincidence.

"I would find it surprising if they weren't connected," Cluley says. "Of course, we'll wait to hear from both LinkedIn and eHarmony about whether they have identified how the security breach occurred."

Cluley also notes that the hashed eHarmony password list was posted in the same underground forums as the list of hashed passwords copied from LinkedIn.

Because 65 percent of online users use the same passwords for all or most of their online accounts, including banking accounts, the chances that their eHarmony or LinkedIn passwords, if they are revealed, could be used to access other accounts are high, says Gartner fraud analyst Avivah Litan.

Doug Johnson, vice president of risk management policy for the American Bankers Association, says the breaches exemplify why it is so critical for online users not to use the same passwords across all of their social and financial sites.

"One of the incentives to attack sites like LinkedIn is clearly to not just social-engineer, but also test whether individuals are using a consistent password rather than mixing it up," he says.


About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network