Alleged Plenty of Fish hacker speaks out, claims he was only trying to help Back to video
On Sunday night, Markus Frind, the founder and chief executive of Plenty of Fish took to his personal blog to write a story about how the popular online dating Website suffered a serious security breach at the hands of a hacker on Jan. 18.
He went on to describe how he was approached by someone that he described as a hacker who allegedly tapped into the Plenty of Fish database and downloaded the emails, user names and passwords of hundreds of users.
According to Mr. Frind, Mr. Russo co-ordinated a sophisticated two day attack on Plenty of Fish’s servers in an attempt to gain access to user data, which he allegedly then used in an to attempt to extort money from the site’s owners.
When contacted by the Financial Post, Mr. Frind said the site’s technicians were able shut down the security vulnerability within 60 seconds of learning about it, and that the information from about 345 accounts were accessed.
However, in an email to the Financial Post, Mr. Russo said that at no time did he attempt to extort money from Mr. Frind. Rather, he contacted Mr. Frind on Jan. 21 to inform him of the vulnerability in the Plenty of Fish Website.
“The last Friday 21 of January, we discovered a vulnerability in plentyoffish exposing users details, including usernames, addresses, phone numbers, real names, email addresses, passwords in plain text and in most cases, paypal accounts, or more than 28,000,000 (twenty eight million users). This vulnerability was under active exploitation by hackers. My team decided to notify about this circunstances [sic] to Mr. Markus Frind, the founder and CEO of PlentyOfFish Inc. as soon as possible in order to stop any potential damage wich [sic] could be done, by the explotation of this vulnerability.”
Mr. Russo said that he contacted Mr. Frind’s wife – Plenty of Fish employee Annie Kanciar – and that the vulnerability was fixed. He claims Plenty Of Fish thanked him and remained in contact with him and that they were “interested in hiring us as security professionals in order to make an analysis of the plataform [sic].”
In the statement Mr. Russo emailed to the Financial Post, he claims that Mr. Frind uttered several threats towards him in addition to threatening legal action.
In Mr. Frind’s original blog post, he also claims that Mr. Russo told him that he hacked into several other dating Website and gave him the administrative password for another famous dating company that he refused to name.
In an email to the Financial Post, Mr. Frind said the dating Website he would not name in the blog post is actually eHarmony.
We contacted eHarmony to find out if the site was indeed compromised. In an email to the Financial Post, Paul Breton, eHarmony’s director of corporate communications, told us that no eHarmony user data was compromised.
“When we became aware of this situation with Plenty of Fish, we checked our systems and confirmed that no eHarmony user data has been compromised,” he said in an email.
Brian Krebs, a former reporter for the Washington Post who now writes the blog “Krebs on Security” said that Mr. Russo contacted him on Jan. 19 about potential vulnerabilities in Plenty of Fish’s architecture.
In a blog post, he said he contacted Mr. Frind to inform him of the security breach, but he never heard back.
In order to prove that he had found a bug in the Plenty of Fish system, Mr. Russo reportedly got Mr. Krebs to sign up for an account with the site, then read him back his information after hacking in and obtaining it.
In his blog post he offers his own thoughts on why hackers were able to allegedly access Plenty of Fish’s security architecture.