ESingles must face reality of LulzSec Reborn's MilitarySingles.com hack, experts say

As of Wednesday, management of dating site MilitarySingles.com denied the site had been hacked by a group calling itself LulzSec Reborn. But that doesn't change the reality -- that the group did in fact break into the database and stole passwords, email addresses, and other information from nearly 171,000 accounts -- several security experts say.

ESingles, which operates the dating site, issued a brief statement saying, "At this time there is no actual evidence that MilitarySingles.com was hacked and it is possible that the Tweet from Operation Digiturk is simply a false claim." The company said it would, "treat this claim as if it were real and proceed with the required security steps in order to ensure the website and its database is secure."

But on MilitarySingles there was no warning of a possible breach. On the home page, one of the promotional statements declares: "We are fanatical about your privacy and security. Our site is constantly monitored using state-of-the-art technology. We have spared no expense that (sic) your personal information is stored and encrypted securely, 24 hours a day, 365 days a year."

And on the ESingles site, there was no mention of it. The "latest news" was a story from January 2010.

For all that, ESingles has been relentlessly mocked, both by LulzSec Reborn and others who have compared the stolen data with what is on the site and said it matches. In the Pastebin file, a note included the line, "laughing at your security since 2011."

Such "data dumps" are relatively common, but this one has created more of a buzz because it comes less than a month after the high-profile arrest of a half-dozen LulzSec members, along with the revelation that the group had been betrayed by one of its own leaders, Hector Xavier Monsegur, whose alias was "Sabu."

So is this really LulzSec 2.0?

Zach Lanier, a security researcher, says that would only matter to somebody studying the attack patterns of different groups. "If it's about getting owned and your data being breached, it doesn't really matter," he says. "It's less about the name and more about the idea. The whole anti-sec movement has been around for a long time."

For users of the site, the obvious response is to change their passwords. Lanier says he makes sure his passwords are complex, and doesn't even know most of them, because he keeps them in a password vault. That is what he recommends for everyone. "There are plenty of free ones out there," he says. Robert Siciliano, McAfee consultant and identity theft expert, recommends a different password for every site.

But a larger issue, he says, "is all the .mil addresses, which shouldn't be allowed by the military. If they used the same passwords for their email, that's a big deal."

Regarding ESingles, Siciliano says they must do what they claim on their home page: "They must encrypt," he says.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Show Comments