[BreachExchange] Wish Companies Would Stop Downplaying Security Breaches? This Dating Website Made One Up

Destry Winant destry at riskbasedsecurity.com
Tue Oct 9 21:47:24 EDT 2018


https://www.cbronline.com/news/beautiful-people-hack

“I saw that and I thought that’s a little bit strange,” said Cluley.
“Because how do they know people put on a little weight over
Christmas? It’s not as if you update your dating profile to say ‘I’ve
gorged myself on Yorkshire puddings’”.

Companies with great troves of customer data are always doing their
upmost to play down a security breach. Facebook for example, last week
updated its users of the breach that affected 50 million accounts in a
blog post casually titled, “Security update”.

Others are reluctant to tell their customers at all; Yahoo was sued
earlier this year for covering up the hack of 3 billion user accounts
for months.

But what about companies at the other end of the scale, who fabricate
and make up security breaches out of thin air?

AT IPExpo in London on Wednesday, Graham Cluley, independent
cybersecurity researcher, presented a case study of such company.

Beautiful People Hack

BeautifulPeople.com is a dating website exclusively for people deemed
by its community of users as physically attractive.

In 2011, the site issued a press release saying it had been hacked
with a virus that dismantled its vetting process and allowed anyone
create an account on the site, which it said allowed unattractive or
overweight people to create an account.

“I saw that and I thought that’s a little bit strange,” said Cluley.
“Because how do they know people put on a little weight over
Christmas? It’s not as if you update your dating profile to say ‘I’ve
gorged myself on Yorkshire puddings’.

A year later, BeautifulPeople said they threw out another 30,000
members after another supposed virus, dubbed the “Shrek virus”.

Cluley said that at that time, he was working for an anti-virus company.

“When I heard that a dating website had been hit by a virus, I was
interested in seeing that piece of malware; we wanted to detect it
because if a piece of malware had done such a thing, our anti-virus
would be updated to protect other dating websites.”

“They didn’t return my calls, so I got curious about BeautifulPeople.”

Cluley contacted the company to learn more about the virus, to be told
that the matter was being “internally investigated”.

BeautifulPeople also said it hadn’t stemmed from an external hacker
but an employee, and the only ones who had to worry about their data
were the 30,000 “ugly people” who had been booted off the site.

“And this story was scooped up and digested and regurgitated in the
media around the world, who believed it hook, line, and sinker.

“Here we have a company who is lying about being hacked. What’s
unusual is normally companies lie to say they haven’t been hacked, or
they’d only been a little bit and not much data’s been given.

“In the case of BeautifulPeople, they lied to say they had been hacked
to get more media attention and more people joining their website.”

There was a coda to the Beautiful People hack story, Cluley said.

BeautifulPeople got hacked — an actual hack that affected 1 million of
its users, in the process divulging an array of specific personal
information.

“Surprisingly, BeautifulPeople didn’t choose to do a press release
about this security breach,” Cluley concluded.


More information about the BreachExchange mailing list