[BreachExchange] Users complain of account hacks, but OkCupid denies a data breach

[Destry Winant]

https://techcrunch.com/2019/02/10/okcupid-account-hacks/

It’s bad enough that dating sites are a pit of exaggerations and
inevitable disappointment, they’re also a hot target for hackers.

Dating sites aren’t considered the goldmine of personal information
like banks or hospitals, but they’re still an intimate part of
millions of people’s lives and have long been in the sights of
hackers. If the hackers aren’t hitting the back-end database like with
the AdultFriendFinder, Ashley Madison, and Zoosk breaches, the hackers
are trying break in through the front door with leaked or guessed
passwords.

That’s what appears to be happening with some OkCupid  accounts.

A reader contacted TechCrunch after his account was hacked. The
reader, who did not want to be named, said the hacker broke in and
changed his password, locking him out of his account. Worse, they
changed his email address on file, preventing him from resetting his
password.

OkCupid didn’t send an email to confirm the address change — it just
blindly accepted the change.

“Unfortunately, we’re not able to provide any details about accounts
not connected to your email address,” said OkCupid’s customer service
in response to his complaint, which he forwarded to TechCrunch. Then,
the hacker started harassing him strange text messages from his phone
number that was lifted from one of his private messages.

It wasn’t an isolated case. We found several cases of people saying
their OkCupid account had been hacked.

Another user we spoke to eventually got his account back. “It was
quite the battle,” he said. “It was two days of constant damage
control until [OkCupid] finally reset the password for me.”

Other users we spoke to had better luck than others in getting their
accounts back. One person didn’t bother, he said. Even disabled
accounts can be re-enabled if a hacker logs in, some users found.

But several users couldn’t explain how their passwords — unique to
OkCupid and not used on any other app or site — were inexplicably
obtained.

“There has been no security breach at OkCupid,” said Natalie Sawyer, a
spokesperson for OkCupid. “All websites constantly experience account
takeover attempts. There has been no increase in account takeovers on
OkCupid.”

Even on OkCupid’s own support pages, the company says that account
takeovers often happen because someone has an account owner’s login
information. “If you use the same password on several different sites
or services, then your accounts on all of them have the potential to
be taken over if one site has a security breach,” says the support
page.

That’s describes credential stuffing, a technique of running a vast
lists of usernames and passwords against a website to see if a
combination lets the hacker in. The easiest, most effective way
against credential stuffing is for the user to use a unique password
on each site. For companies like OkCupid, the other effective blocker
is by allowing users to switch on two-factor authentication.

When asked how OkCupid plans to prevent account hacks in the future,
the spokesperson said the company had “no further comment.”

In fact, when we checked, OkCupid was just one of many major dating
sites — like Match, PlentyOfFish, Zoosk, Badoo, JDate, and eHarmony —
that didn’t use two-factor authentication at all.

As if dating wasn’t tough enough at the best of times, now you have to
defend yourself from hackers, too.