eHarmony confirms breach, about 1.5 million passwords stolen

By on June 7, 2012, 3:30 PM

eHarmony has confirmed that nearly 1.5 million of its users have had their passwords -- or more specifically, hashed passwords -- stolen by hackers. The popular match-making site may have fallen victim to the same hackers who compromised LinkedIn's password database Wednesday

It is recommended that any user of eHarmony or LinkedIn, regardless of their account targeted or not, should change their password immediately.

Although eHarmony had the good sense to encrypt their user credentials with 160-bit SHA-1, they failed to salt those password hash values. While 160-bit encryption is theoretically an intractable hurdle for hackers to contend with, without the additional layer of obfuscation provided by salt or HMAC, SHA-1 password hashes become highly susceptible to even the most unsophisticated dictionary-based attacks. This fact holds true regardless of cipher strength for certain types of encryption standards, such as SHA-1 and MD5.

The potential danger of unsalted password hashes is made clear by simply using Google to crack common MD5 password hashes. Unfortunately, this simple method also applies to SHA-1.

Yesterday, the SHA-1 hash values for passwords like "linkedin", "l1nkedin", "linkedout" and "recruiter" were found in a 265MB password hash dump uploaded by hackers. This discovery, although not definitively, served as partial confirmation the list of nearly 6.5 million password hashes belonged to LinkedIn. LinkedIn later confirmed that some users did have their credentials stolen and reset the passwords for those accounts.

With that in mind, suggestive passwords like "eharmony" can also be found within the same file. Speculators are now theorizing that same enormous text file may also contain passwords for eHarmony and even other websites.




User Comments: 2

Got something to say? Post a comment
Guest said:

lol. "yeeees im going to steal all the depserate single peoples' information" what can you possibly achieve off of hacking eharmony lol

3DCGMODELER 3DCGMODELER said:

hehehe

eharmony what a joke..

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.