eHarmony and Last.fm Passwords Stolen

Some customers of CBS Corp. (CBS)’s Last.fm music site and EHarmony Inc.’s dating site had passwords stolen.

eHarmony, the “No 1 Most Trusted Dating Site,” stores the personal details of millions in the USA, UK, Australia, Canada and Brazil. The dating website was founded in 2000 and is based in Santa Monica, California. Over 500 people in the U.S. get married because of the site every day. 1.5million of eHarmony’s 20million-plus users have had their passwords hacked.

“After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected,” wrote eHarmony’s Becky Teroka. eHarmony has reset the passwords for those with compromised accounts. At least 420 of the passwords in this list contained the strings “harmony” or “eharmony.” These hashes found on the list do not contain the corresponding login names, making it impossible for anyone to use them to gain access to a particular user’s account.

Here is eHarmony’s response on their blog

“The security of our customers’ information is extremely important to us, and we do not take this situation lightly. After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected. We are continuing to investigate but would like to provide the following actions we are taking to protect our members. we have reset affected members passwords. Those members will receive an email with instructions on how to reset their passwords.

[They then list the usual password advice most companies try to provide to customers]

Please be assured that eHarmony uses robust security measures, including password hashing and data encryption, to protect our members’ personal information. We protect our networks with state-of-the-art firewalls, load balancers, SSL and other sophisticated security approaches. We deeply regret any inconvenience this causes any of our users.”

Last.fm is a British-based social music website that launched in London before being purchased by US media giant CBS in 2007. On Thursday, Last.fm, which recommends music to users based on the songs they already listen to, warned its website visitors to change their passwords after a leak which may have resulted from a hacking attack. Last.fm, with almost 40 million users, will update customers on the status of the breach through its Twitter account, Luke Fredberg, director of international corporate communications for owner CBS in London.

###

PortalGuard is a context based authentication platform focused on enhancing usability, while maintaining a balance between security, auditing and compliance.

http://www.PortalGuard.com