Two Tales of a Hacking

Markus Frind, founder of dating web site Plenty of Fish, says his site got hacked last week. The hacker got away with user email addresses, user names, and passwords. Plenty of Fish has since reset the passwords.

Frind accuses Chris Russo as the hacker. He said it took Russo 2 days to break into their system. Then Frind states that Russo called Frind's home to extort him. He says that Russo is a 23 year old from Argentina. Frind says Russo wanted access to all the source code from Plenty of Fish, as well as unspecified money for "security services".

Chris Russo, on the other hand, says he only reported a bug. He discovered a vulnerability that affected all 28 million Plenty of Fish user accounts. The vulnerability was fixed. Russo goes on to say that Plenty of Fish wanted to hire him as a security professional.

The specifics of the vuln were based on a Microsoft SQL Server injection hole. It allowed a hacker to make a full backup of the database. You combine that with the fact that Plenty of Fish stores user passwords in plain text, and you get disaster. So who are we going to believe here? I bet like most cases, both sides are telling some truth, and are also adding some lies. It really seems like a mess.