UPDATE: Statement from ESingles about MilitarySingles.com
Today, a spokesperson for ESingles provided an update to the MilitarySingles.com breach report. Their statement is as follows:
After a thorough investigation by our company programmers, it is our conclusion that our database was not hacked and that the claims of the Lulzsec group are completely false. Here are a couple points to note:
1. The total number of users in our database does not even closely match the number they have claimed to have exposed.
2. All user passwords in our database are encrypted and secure.
3. The location of the file the above user posted is in a repository directory on our website for user’s photos. The above user simply uploaded a photo of the Lulzsec group and does not mean in any way whatsoever that they were successful in actually hacking our service.
4. MilitarySingles.com was down for a few hours on March 25th due to regularly scheduled maintenance, not due to any outside activity.
We have taken measure to confirm our website and it’s database is secure and safe for our members, and will continue to do so. We are unable to confirm that the so-called checklist of email addresses have actually come from our user database.
I responded to their statement with some questions and comments under their reply and I hope they’ll provide further clarification.
admin - March 29, 2012
Over on Softpedia, Eduard Kovacs shares my skepticism about ESingle’s denial: “Our separate investigations also lead us to believe that at least part of the data leak is legitimate. Nevertheless, MilitarySingles representatives were asked to provide further proof to back up their statement.”
Elsewhere on this blog, Dazzlepod also reports that some of the email/password combinations in the data dump have shown up in other sites/accounts and appear to be valid.
I am not sure why ESingles brings up the point about the site being down for maintenance as part of disputing the claimed hack. LulzSec Reborn never claimed they took the site. They said it was already down (presumably for maintenance) and they decided to grab the database.
One question that ESingles has not directly addressed yet is whether they even have a database with the name “cl_users” – the name associated with the dump. Do they?
I have no vested interest in proving or disproving any claimed breach. But I do have an interest in ensuring that people are notified if their data have been compromised, particularly if they have reused passwords. If ESingles is right, then their reputation may be taking an unfair hit, which is why I’ve made a point of publicizing their denials. But if they’re wrong, then their users need to be aware.
userland - March 29, 2012
The database I downloaded and looked through contains so much unique data that I doubt that someone made such a huge effort to create a fake just for fame …
I mean if you poke into the user table and pick any random account you don’t need to be lucky to pull a real person out. Also the chat logs seem to be genuine and are connected to the user accounts. The chats are believable.
If someone would make a statistical analysis of the accounts with the right indicators like gender and age distribution and stuff like kids, income, etc … it’ll be helpful to validate the database.
If this is all to be seriously doubted then it makes sense that it might be a false flag op and that those pulling it have access to perhaps older but genuine data which they now sacrifice to keep the boat sailing …
If the steal was real it is rather stupid behaviour to
So who is sailing the “HMS Reborn”? Spooks? Hackers?