OkCupid account hijackings highlight website account management issues

Users of popular dating site OkCupid have been complaining of hackers taking over their account, locking them out by changing the associated email address and password, and using information gleaned from the account to harass them.

But a company spokesperson said that there has been no increase in account takeovers and no security breach at OkCupid.

What happened?

If OkCupid’s assurances are valid, a likely explanation for the account hijackings is that attackers are using login credentials stolen from other sites to access OkCupid accounts.

“If you use the same password on several different sites or services, then your accounts on all of them have the potential to be taken over if one site has a security breach. Lists including your email address and passwords can be sold to bad actors who will try your password on lots of different sites until they find one that works,” the company explains in its support pages.

They advise users to use a password unique to OkCupid, to use a mix of letters, numbers, capitalization, and symbols for it, and to make it long.

More advice for users

“I agree with all of the advice OkCupid offered. Users should have unique passwords for every website, or at the very least, have a unique password for every site you care anything about. You should at least consider unique passwords for things that will make your life difficult when they get hacked,” Terry Ray, Imperva SVP and Fellow, told Help Net Security.

“Password managers are available – some for free and some for a fee, some for your computer, some for mobile and some for both – so there’s no real reason not to use one. Yes, it can be very annoying to not know your password and have to go look it up, but it’s more annoying to have your account hacked.”

He also pointed out that the advice to change the password to tomething unique doesn’t mean using Password1, Password2, Password3 and so on for different accounts.

“Use letters and numbers in nursery rhymes:’HDS4tOn4W@ll,’ for Humpty Dumpty Sat On A Wall. Whatever works, put them in a password manager and move onto the next website.”

Finally, he advised on using 2-factor authentication where possible.

“Testing usernames and passwords from a list is an automated process. It’s cheap, fast and easy for attackers to execute. Two-factor authentication helps for sure and I encourage its use, but not every website supports it yet,” he concluded.

Unfortunately for OkCupid users, the site still does not provide the option.

Advice for website owners and administrators

Tim Mackey, Senior Technical Evangelist at Synopsys, pointed out these account hijackings throw light on a key issue we face with account and identity management: web sites often use an email address as a form of identification but don’t validate that email address at any point during the account lifecycle.

“From the reported OkCupid responses to inquiries, it appears a user’s email address is their primary form of account identifier. Given that users can change email addresses, that email addresses may no longer become valid (say as the result of a provider shutting down), and that email is an insecure form of communication, the use of email as a primary form of identification is problematic from the outset,” he explained.

“While it’s likely rather difficult for OkCupid to quickly resolve their use of email as an identifier, there some best practices any organization seeking to use email within their applications should consider.

1. Consent is key. Don’t assume that a user correctly entered a valid email address. If they can’t confirm via email that they received a confirmation email, then they likely won’t receive any other messages. Worse, if they can’t confirm, then perhaps the email address doesn’t belong to them and you may have leaked personal information on that user who may have done nothing more serious than typo their email address in a form.

2. Consent is key – again. When changing an email address, don’t assume the user making the change entered the correct email address. Confirm their address with the new email address, and then only once confirmed change over from the prior one. Also send a confirmation email for this operation to the old address. This way if an account take over were to occur, the legitimate user would have an opportunity to identify the issue.

3. Take the claim of identity fraud seriously. If someone asserts their account was taken over, assist them in their recovery if they have access to any of the prior communication modes.

4. Retain a log of prior identification modes used. If someone changes their email address, don’t simply overwrite the old value with a new one. Retain that this action occurred. Identity theft can occur with all web properties and businesses aren’t built with frustrated users.”