The Argentinian hackers that hacked The Pirate Bay back in July are at it again.
They have supposedly hacked the popular free online dating site PlentyofFish and, according to the site’s founder and CEO Markus Frind, have tried to extort money from him and his company by trying to create a sense of panic and then offering to help him close the hole in the site.
It is still difficult to tell which person is actually telling the truth.
Frind accuses Chris Russo – the unofficial spokesman for the group that he claims is a security company – of having contacted him and his wife with the news that they have uncovered a hole in the site that some Russians were already exploiting.
He says Russo claimed that the Russians got their hand on usernames, (plain-text) passwords, names, e-mail addresses, phone numbers, actual addresses and PayPal accounts of some 28 million users, and that they should think about retaining their services for closing the hole and deleting the collected information from the server where the Russians stashed it.
Apparently, Frind decides to play along and see this thing through. He asks of the group to send them their CVs to check upon their professional credentials and they send it. Frind checks the credentials and says he discovered that many of the places the group claims to have worked for were actually places they tried to hack and extort.
On the other hand, Russo asserts that the extortion claims are bogus, that they have only reported a bug in the site, developed a proof-of-concept that demonstrates the existence of the vulnerability and offered their services when asked for advice on what to do.
“The vulnerability was properly documented by our team, without exposing any confidential user information,” he writes. “This was an error based MSSQL injection, that could allow any attacker to make a full backup of the databases used by the websever, and or gain direct access into the site.”
He claims that after the initial good collaborative rapport they seemed to have established, Friend turned around and accused them of having hacked the site themselves and of trying to extort the company.
There is also a third party unwillingly embroiled in this mess of a situation – the well known security expert Brian Krebs, and he apparently backs the claims made by Russo.
According to him, he was contacted by Russo with the information about the hole in PlentyOfFish.com and verified the claim by opening an account with the site and having Russo tell him which username and password he used to do so.
When he tried to contact Frind, the PlentyOfFish CEO seemingly refused to reply to the e-mails and offer any information, and upon waking up this morning, Krebs finds out that he is being accused of of participating in the extortion scam by Frind.
“Part of the reason pof.com has a problem is because its database is insecure,” writes Krebs. “POF claims to have closed the security hole and reset all user passwords. But on top of that, the company appears to store its customer and user passwords in plain text, which is a Security 101 no-no. Companies that fail to take even this basic security step and then look for places to point the finger when they get hacked show serious disregard for the security and privacy of their users.”