It has been reported that hackers have apparently compromised some user accounts of dating service OkCupid. However, the company has denied any such attempt, triggering the debate on how safe online dating portals are. A user contacted TechCrunch to inform that some hacker broke in his account and changed the password. So much so, even the email address on the file was changed, disabling the user from resetting his password.
Experts Comments below:
Tim Mackey, Technical Evangelist at Synopsys:
While it’s likely rather difficult for OkCupid to quickly resolve their use of email as an identifier, there some best practices any organisation seeking to use email within their applications should consider.
Consent is key. Don’t assume that a user correctly entered a valid email address. If they can’t confirm via email that they received a confirmation email, then they likely won’t receive any other messages. Worse, if they can’t confirm, then perhaps the email address doesn’t belong to them and you may have leaked personal information on that user who may have done nothing more serious than typo their email address in a form.
Consent is key – again. When changing an email address, don’t assume the user making the change entered the correct email address. Confirm their address with the new email address, and then only once confirmed change over from the prior one. Also send a confirmation email for this operation to the old address. This way if an account take over were to occur, the legitimate user would have an opportunity to identify the issue.
Take the claim of identity fraud seriously. If someone asserts their account was taken over – assist them in their recovery if they have access to any of the prior communication modes.
Retain a log of prior identification modes used. If someone changes their email address, don’t simply overwrite the old value with a new one. Retain that this action occurred. Identity theft can occur with all web properties and businesses aren’t built with frustrated users.”
Juliette Rizkallah, CMO at SailPoint:
While people can’t go back in time to protect what data may have been compromised, they can use this as an opportunity to get familiar with password management best practices to avoid being targeted by a credential stuffing hack. Some simple measures that people can easily implement right now include using a unique password for every application or account, and making sure the password is long and more complex – the longer and more complex the password, the safer it will be. After all, protecting identity is key to the safety of your own personal data but also to the security of sensitive company data and files, too.”
Sandor Palfy, CTO at LastPass:
If you use the same password for multiple sites, and one site is breached and your password is cracked, attackers will go after your other accounts, likely even before you learn about the breach. Using unique passwords ensures that a breach at one website doesn’t result in a stolen account at another. The longer the password is, the harder it becomes to crack or brute-force attack, which simply means it takes longer for a computer to correctly guess it. It’s also worth turning on two-factor authentication where possible for an additional layer of protection. Should your password somehow be compromised — perhaps in a phishing attack — the attacker still won’t be able to get into your account without the two-factor authentication information.
While these steps to improve security can seem daunting, using a password manager can help you create long and complex passwords, securely keep track of credentials for each site and recall them automatically the next time you log in to those accounts. This makes life easier for the user, and much more difficult for hackers.”
Terence Jackson, Chief Information Security Officer at Thycotic:
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.