Online dating site eHarmony is advising some of its customers to change their passwords due to a security breach.
A hacker employed an SQL injection vulnerability in an ancillary site that eHarmony operates for content management. The hacker obtained a file that included user names, e-mail addresses, and "hashed passwords," eHarmony said. The breach--first reported today on the Krebs on Security blog--affected an informational site called eHarmony Advice, which includes message boards that require eHarmony user names and passwords to access.
The dating service's main site uses separate databases and Web servers, and "at no point during this attack did the hacker successfully get inside our eHarmony network," the company said in a blog post.
eHarmony said it had repaired the vulnerability and was notifying customers who may have been affected. Although the site did not reveal how many customers were affected, it did say it was less than 0.05 percent of its user base. eHarmony says it has had 33 million users since its inception.
Krebs said an Argentinian hacker told him late last year that he'd discovered a vulnerability in the online dating site that allowed him to view customer passwords. Krebs said that a week later, he discovered a listing for eHarmony user names and passwords on Carder.biz, an online marketplace for hacked data and accounts, botnet hosting, and stolen credit card and consumer data. The eHarmony data was being offered for sale by a user identified as "Provider" at prices ranging from $3,000 to $5,000, Krebs said.
The hacker also reportedly approached eHarmony with an offer to sell his security services to the site to fix the flaw--an offer the dating site said it declined.
SQL injection attacks occur when a small, malicious script is inserted into a database that feeds information to the Web site.