Want CNET to notify you of price drops and the latest stories?

Some eHarmony user information stolen

An ancillary advice site that uses eHarmony user names and passwords was hacked using an SQL injection vulnerability.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read

Online dating site eHarmony is advising some of its customers to change their passwords due to a security breach.

A hacker employed an SQL injection vulnerability in an ancillary site that eHarmony operates for content management. The hacker obtained a file that included user names, e-mail addresses, and "hashed passwords," eHarmony said. The breach--first reported today on the Krebs on Security blog--affected an informational site called eHarmony Advice, which includes message boards that require eHarmony user names and passwords to access.

The dating service's main site uses separate databases and Web servers, and "at no point during this attack did the hacker successfully get inside our eHarmony network," the company said in a blog post.

eHarmony said it had repaired the vulnerability and was notifying customers who may have been affected. Although the site did not reveal how many customers were affected, it did say it was less than 0.05 percent of its user base. eHarmony says it has had 33 million users since its inception.

Krebs said an Argentinian hacker told him late last year that he'd discovered a vulnerability in the online dating site that allowed him to view customer passwords. Krebs said that a week later, he discovered a listing for eHarmony user names and passwords on Carder.biz, an online marketplace for hacked data and accounts, botnet hosting, and stolen credit card and consumer data. The eHarmony data was being offered for sale by a user identified as "Provider" at prices ranging from $3,000 to $5,000, Krebs said.

The hacker also reportedly approached eHarmony with an offer to sell his security services to the site to fix the flaw--an offer the dating site said it declined.

SQL injection attacks occur when a small, malicious script is inserted into a database that feeds information to the Web site.