PlentyofFish Hacked: The Unbelievable Story
According to a post on founder and CEO Markus Frind’s blog, popular free online dating site PlentyofFish was hacked last week, leading the PlentyofFish team to believe that all usernames and passwords were downloaded and compromised. Though the news is coming from the CEO’s personal blog, PlentyofFish hasn’t yet released an official statement. Sites get hacked all the time–even Facebook overlord Mark Zuckerberg’s own Facebook page was hacked last week–but the PlentyofFish hack comes with a fairly elaborate and ridiculous story.
The post on Frind’s blog states an Argentinian hacker named Chris Russo, who Frind claims also happened to hack The Pirate Bay, signed up for Frind’s dating site two days before Frind was to attend an online dating conference in Miami. Supposedly, it took Russo two days to hack the site, with the attacks starting while Frind was on an airplane headed to the Miami conference, and Frind states Russo didn’t even try to hide behind a proxy, signed up with his real name, and commenced the attacks while actually logged into his PlentyofFish account.
From here, the story gets pretty absurd, as Frind claims his wife received a call from Russo, claiming that the dating site has been hacked, and “Russians have taken over his computer and are trying to kill him, and his life is in extreme danger, and they are currently downloading plentyoffish’s database.” Frind claims he then closed the security breach, launched an investigation, and over the next twenty-four hours, both he and his wife received various frantic voicemails from Russo.
Frind’s wife then received a message from Brian Krebs, former Washington Post employee, regarding the breach, and claimed Russo is a harmless kid from Argentina who happened to contact him regarding the PlentyofFish breach. Eventually, Frind gets into contact with Russo over the phone, and Russo explains that the mysterious Russians have access to everything on PlentyofFish, include bank accounts, and plan on stealing thirty million dollars from various dating sites, which happens to include PlentyofFish. The reason why Russo knows all this? He claims the Russians have taken over his computer and he can see everything the Russians are doing.
So far, so ridiculous. The second time Frind gets into contact with Russo, Russo claims he has a business partner named Luca, and is no longer afraid of the Russians killing him, and claims both he and Luca work together as a security company. They supposedly tell Frind that in exchange for complete access to all of the dating site’s source code and SQL databases, they can make sure the attacks don’t happen again. They ask Frind to sign NDA contracts and claim they know where the Russians dumped the dating site’s stolen data, which they can erase. Even weirder, Russo and Luca then attempted to get officially hired by Frind, asking if they would be making over $100k or $500k per year. For some reason, Frind asked for the hackers’ resumes, and once received, supposedly discovered that the places the hackers claimed they previously worked for were places they previously hacked and attempted to exploit in a similar fashion.
According to Frind’s blog post, he feels Russo and Luca are trying to extort the dating site, but are making things up as they go because they have “absolutely no idea what they are doing.” Finally, Frind claims he emailed Russo’s mother, because that’s what you do in the world of business and digital intrigue.
To make the story even more interesting, Grumo Media supposedly got into contact with Chris Russo, and he replied with a fairly different story. He claims he’s a security researcher and discovered the vulnerability in the dating site which was under “active exploitation by hackers.” Russo’s team then got into contact with Frind and his wife, informed them of the security flaw, and Frind was so thankful that he offered to hire Russo’s team as “security professionals.” Russo claims that while he and his team were getting the appropriate employment documents ready, Frind became increasingly aggressive and told Russo to speak with two of Frind’s employees, “because there was a serial killer, murdering people from the website.”
Russo claims that the vulnerability was properly document by his security team, without exposing any of the dating site’s user information, detailing the hack as “an error based MSSQL injection, that could allow any attacker to make a full backup of the databases used by the webserver, and or [sic] gain direct access to the site.” Russo then claims that Frind sent him a pretty aggressive email, which can be seen over on Grumo Media, accusing him — without proof — of being the hacker responsible for the security breach, threatening Russo by saying if the dating site’s data goes public, he’ll send every single member of PlentyofFish Russo’s personal information, including a picture of Russo, his phone number, and email address.
Russo also claims that after the threatening email, there were a few phone calls from Frind where Frind directly accused Russo’s team of stealing the dating site’s data, and also mentioned there are “mafias behind sites like the one he runs.”
As one can plainly see, there are two extremely different sides to the story, both of which seem pretty over the top: Mafias behind dating sites and a real life the://plentyoffish.killer? Whichever story is closer to the truth, it appears that PlentyofFish was legitimately hacked, and whenever the site’s official statement regarding the hack is released, we can be sure it’ll only further muddle the story.
(PlentyofFish Blog via Hacker News)
Have a tip we should know? tips@themarysue.com