MilitarySingles.com hack exposes over 160,000 users’ information (updated to include ESingles denial of breach)
MilitarySingles.com has apparently been hacked.
The hack was announced on Twitter earlier today by Operation Digiturk and a database of 163,792 names, usernames, e-mail addresses, IP addresses, and passwords has been dumped on the Internet. The tweet was accompanied by the hashtags
#anonymous #antisec #infosec
I don’t know if the site is aware of the hack and eSingles Inc.’s own web site does not seem to exist any more. I sent a courtesy notification to MilitarySingles.com to alert them to the hack with a request that they let this blog know what steps they will take to protect their users.
In any event, if you know a member of the military who uses or has used the site, do them a favor and suggest they change their password on any site where they may have reused it – including their mil.gov email account.
Update Mar. 26: See comments below from MilitarySingles.com and replies to same. As of this afternoon, the site no longer displays pictures of members on its home page. Instead, I see this message, “Error: Slideshow data cannot load due to security issue.”
Update 2/Clarification: Although the first mention I saw on Twitter was from @oDigiturk, a statement on Pastebin indicates that LulzSec Reborn was responsible for this hack.
Update 3: In a March 28 story in the L.A. Times, Salvadore Rodriguez got a statement from
Robert Goebel, chief executive of ESingles Inc., which owns the site. He is quoted as saying:
“Regardless of whether it was a true claim or false claim,” he said, “we’re treating it as though it’s true just to be safe.”
But Goebel said he did not think the dating site was actually hacked. He said it was down for some time over the weekend, but that was because of scheduled maintenance. He also said he was not sure how the hackers could have gotten so many accounts when the site has only about 140,000 members.
The LulzSec hackers are “probably trying to make a name for themselves or something,” Goebel said. “Just because we have the name ‘military’ in it, that might be why they decided to claim they went after us.”
Goebel said members of the dating site shouldn’t panic. Even if the hackers were successful, he said, the site’s passwords are encrypted so all accounts are safe.
Say what? Didn’t he see the proof that LulzSecR posted, or my statement that the entries in the data dump matched the visible profiles?
And as to the passwords being encrypted, I ran a bunch through an MD5 tool and it was amazing how many passwords were immediately revealed.
Frankly, I don’t know what to make of their public statements. This is somewhat mind-boggling.
Update 4: ESingles has issued a new statement in which they indicate that their concluded investigation indicates no hack occurred. See the comment below.