It has been reported that hackers have apparently compromised some user accounts of dating service OkCupid. However, the company has denied any such attempt, triggering the debate on how safe online dating portals are. A user contacted TechCrunch to inform that some hacker broke in his account and changed the password. So much so, even the email address on the file was changed, disabling the user from resetting his password.
Experts Comments below:
Tim Mackey, Technical Evangelist at Synopsys:
“The reported breach at OkCupid highlights a key issue we face with account and identity management – web sites often use an email address as a form of identification but don’t validate that email address at any point during the account lifecycle. From the reported OkCupid responses to enquiries, it appears a user’s email address is their primary form of account identifier. Given that user’s can change email addresses, that email addresses may no longer become valid (say as the result of a provider shutting down), and that email is an insecure form of communication, the use of email as a primary form of identification is problematic from the outset.
While it’s likely rather difficult for OkCupid to quickly resolve their use of email as an identifier, there some best practices any organisation seeking to use email within their applications should consider.
Consent is key. Don’t assume that a user correctly entered a valid email address. If they can’t confirm via email that they received a confirmation email, then they likely won’t receive any other messages. Worse, if they can’t confirm, then perhaps the email address doesn’t belong to them and you may have leaked personal information on that user who may have done nothing more serious than typo their email address in a form.
Consent is key – again. When changing an email address, don’t assume the user making the change entered the correct email address. Confirm their address with the new email address, and then only once confirmed change over from the prior one. Also send a confirmation email for this operation to the old address. This way if an account take over were to occur, the legitimate user would have an opportunity to identify the issue.
Take the claim of identity fraud seriously. If someone asserts their account was taken over – assist them in their recovery if they have access to any of the prior communication modes.
Retain a log of prior identification modes used. If someone changes their email address, don’t simply overwrite the old value with a new one. Retain that this action occurred. Identity theft can occur with all web properties and businesses aren’t built with frustrated users.”
Juliette Rizkallah, CMO at SailPoint:
“With so many consumer apps available, it is more important than ever for people to be extra diligent about how they manage their personal access to data since consumer-facing breaches can potentially expose the enterprise as well. More hackers are using credential stuffing techniques in which they take advantage of users who are not following password best practices so that they can breach multiple accounts, including business applications, by the same user.
While people can’t go back in time to protect what data may have been compromised, they can use this as an opportunity to get familiar with password management best practices to avoid being targeted by a credential stuffing hack. Some simple measures that people can easily implement right now include using a unique password for every application or account, and making sure the password is long and more complex – the longer and more complex the password, the safer it will be. After all, protecting identity is key to the safety of your own personal data but also to the security of sensitive company data and files, too.”
Sandor Palfy, CTO at LastPass:
“Reports of hacked OkCupid accounts are a great reminder that even accounts like dating apps can hold information hackers find valuable. Passwords are the first line of defense in keeping your online information safe and protected, yet many people are complacent about password hygiene. Our recent Psychology of Passwords survey found that while 91 percent of people know that using the same password for multiple accounts is a security risk, nearly two-thirds admitted that they continue to do so anyway.
If you use the same password for multiple sites, and one site is breached and your password is cracked, attackers will go after your other accounts, likely even before you learn about the breach. Using unique passwords ensures that a breach at one website doesn’t result in a stolen account at another. The longer the password is, the harder it becomes to crack or brute-force attack, which simply means it takes longer for a computer to correctly guess it. It’s also worth turning on two-factor authentication where possible for an additional layer of protection. Should your password somehow be compromised — perhaps in a phishing attack — the attacker still won’t be able to get into your account without the two-factor authentication information.
While these steps to improve security can seem daunting, using a password manager can help you create long and complex passwords, securely keep track of credentials for each site and recall them automatically the next time you log in to those accounts. This makes life easier for the user, and much more difficult for hackers.”
Terence Jackson, Chief Information Security Officer at Thycotic:
“Passwords are frequently reused across sites and legacy endpoint protection often doesn’t pick up certain malicious tools such as keyloggers. This highlights the need for consumers to practice better cyber hygiene, for example using a password manager, avoiding risky sites and applications and maybe even avoiding services that don’t offer MFA. It’s also likely that some of the OkCupid users were phished and willingly handed over access to their accounts as phishing attacks have gotten more sophisticated and prevalent.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.