hack exposes over 160,000 users’ information (updated to include ESingles denial of breach) has apparently been hacked.

The hack was announced on Twitter earlier today by Operation Digiturk and a database of 163,792 names, usernames, e-mail addresses, IP addresses, and passwords has been dumped on the Internet.  The tweet was accompanied by the hashtags #anonymous #antisec #infosec

I  don’t know if the site is aware of the hack and eSingles Inc.’s own web site does not seem to exist any more. I sent a courtesy notification to to alert them to the hack with a request that they let this blog know what steps they will take to protect their users.

In any event, if  you know a member of the military who uses or has used the site, do them a favor and suggest they change their password on any site where they may have reused it – including their email account.

Update Mar. 26: See comments below from and replies to same.  As of this afternoon, the site no longer displays pictures of members on its home page. Instead, I see this message, “Error: Slideshow data cannot load due to security issue.”

Update 2/Clarification:  Although the first mention I saw on Twitter was from @oDigiturk, a statement on Pastebin indicates that LulzSec Reborn was responsible for this hack.

Update 3:  In a March 28 story in the L.A. Times, Salvadore Rodriguez got a statement from
Robert Goebel, chief executive of ESingles Inc., which owns the site. He is quoted as saying:

“Regardless of whether it was a true claim or false claim,” he said, “we’re treating it as though it’s true just to be safe.”

But Goebel said he did not think the dating site was actually hacked. He said it was down for some time over the weekend, but that was because of scheduled maintenance. He also said he was not sure how the hackers could have gotten so many accounts when the site has only about 140,000 members.

The LulzSec hackers are “probably trying to make a name for themselves or something,” Goebel said. “Just because we have the name ‘military’ in it, that might be why they decided to claim they went after us.”

Goebel said members of the dating site shouldn’t panic. Even if the hackers were successful, he said, the site’s passwords are encrypted so all accounts are safe.

Say what? Didn’t he see the proof that LulzSecR posted, or my statement that the entries in the data dump matched the visible profiles?

And as to the passwords being encrypted, I ran a bunch through an MD5 tool and it was amazing how many passwords were immediately revealed.

Frankly, I don’t know what to make of their public statements. This is somewhat mind-boggling.

Update 4: ESingles has issued a new statement in which they indicate that their concluded investigation indicates no hack occurred.  See the comment below.

About the author: Dissent

11 comments to “ hack exposes over 160,000 users’ information (updated to include ESingles denial of breach)”

You can leave a reply or Trackback this post.
  1. ESingles Inc - March 25, 2012

    We at ESingles Inc. are aware of the claim that someone has hacked and are currently investigating the situation. At this time there is no actual evidence that was hacked and it is possible that the Tweet from Operation Digiturk is simply a false claim.

    We do however take the security and privacy of our members very seriously and will therefore treat this claim as if it were real and proceed with the required security steps in order to ensure the website and it’s database is secure.


    • admin - March 25, 2012

      Care to define “actual evidence?” I compared the database in the .rar file to the “online members” pictured on your home page and the entries in the data dump correspond to those usernames.

      The fact that the last entry in the data dump was time-stamped around 6 pm yesterday should make it a bit easier for you to find evidence. Good luck.

  2. lulzsecfan - March 25, 2012

    There is no evidence that was hacked?
    Hello admin you are dumb

  3. Lamarr - March 27, 2012

    lol. win.

  4. Dig3nius - March 27, 2012

    Very clever lulzsec. Good job!

  5. disclosure - March 27, 2012 checklist for users available here

  6. Lamarr - March 28, 2012

    Haha that “Admin” aka Goebel should probably google effective PR strategies. Lolz ftw

  7. ESingles Inc - March 28, 2012

    After a thorough investigation by our company programmers, it is our conclusion that our database was not hacked and that the claims of the Lulzsec group are completely false. Here are a couple points to note:

    1. The total number of users in our database does not even closely match the number they have claimed to have exposed.

    2. All user passwords in our database are encrypted and secure.

    3. The location of the file the above user posted is in a repository directory on our website for user’s photos. The above user simply uploaded a photo of the Lulzsec group and does not mean in any way whatsoever that they were successful in actually hacking our service.

    4. was down for a few hours on March 25th due to regularly scheduled maintenance, not due to any outside activity.

    We have taken measure to confirm our website and it’s database is secure and safe for our members, and will continue to do so. We are unable to confirm that the so-called checklist of email addresses have actually come from our user database.


    • admin - March 28, 2012

      Thank you for coming back to provide that update. I will post a link to it so that if people don’t come back to this entry, they will see your update.

      If I seem skeptical, however, it’s because the entries in the data dump do match the pictures your site displays of “members online.” I have been covering this stuff for a while now, and frankly, have never known Anonymous-related data dumps to be fabricated.

      As to the passwords in the data dump, I ran a bunch of them through an MD-5 cracker and was able to figure out the passwords. *If* you used MD-5, please note it’s no longer considered very secure.

      Have you decided whether to notify users to change passwords – on the off-chance that you’re wrong – or will you not be issuing any statement?

      Thanks for keeping this site updated.

      • disclosure - March 29, 2012

        BTW, it’s worth noting quite a number of the accounts (email/password combo) are being reused on other sites, e.g. Twitter and webmail, further confirming the validity of the accounts.

        • admin - March 29, 2012

          How do you know the passwords are being reused? Did you crack them or test them, or are people reporting that to you?

          Taylor Amerding has an article this morning on CSO, “ESingles must face reality of LulzSec Reborn’s hack, experts say.”

          Given the various state laws, this poses an interesting dilemma. If ESingles believes that they have not been hacked, they may conclude they have no duty to notify states or individuals (although the definition of a breach varies across states). If they’re wrong and don’t notify, they expose themselves to all kinds of problems and potential fines.

          This is one of those situations where I think “an abundance of caution” should apply and at the very least, they should notify users to change passwords on other sites if they reused passwords. But that’s just my opinion.

Comments are closed.