The hacker, Chris Russo, told TechCrunch he was able to access the usernames, addresses, phone numbers, real names, email addresses, passwords in plain text and PayPal accounts of more than 28 million users. He was just alerting Mr. Frind to the vulnerabilities in the site, he said, and attempted to sell Mr. Friend his services as a security analyst.
By Mr. Frind’s account, the story is more bizarre.
“At midnight Miami time my wife gets a call from Chris Russo that plentyoffish has been hacked into and that Russians have taken over his computer and are trying to kill him, and his life is in extreme danger and they are currently downloading plentyoffish’s database,” he wrote.
By the second phone call, Mr. Russo was no longer afraid of being murdered by Russians. In fact, he claimed he and his business partner knew where the Russians stored PlentyOfFish’s data and promised to delete it in exchange for complete access to the site’s backend, contracts with non-disclosure clauses and a minimum of $15,000.
According to Mr. Frind:
We asked them for their resumes and told them it’s the law in Canada, and we can’t work with them any other way. They then gave me their full names and resumes. Many of the places they “worked for” were places they tried to hack and extort. For instance the other paid dating site he hacked he listed it on his resume as working for them, obviously we called them… Now we start thinking both of them are completely retarded.
Next, I just get pissed off and start explaining how i’m going to sue them out of existence if the data comes out. They are trying to extort us, but they are making stuff up as they go along because they have absolutely no idea what they are doing. At this point I did the only logical thing; I emailed his mother.
Mr. Russo responded in a post at Grumo Media, saying the vulnerability was quite serious. He said his team was honestly trying to let PlentyOfFish know about the problem and hopefully get a client out of it, only to have Mr. Frind become abusive. “Plentyoffish.com exposes 30,000,000 users information, we reported that, and get nothing but trouble and are threatened, directly by the founder Mr. Markus Frind,” Mr. Russo said.
From an email Mr. Frind sent Mr. Russo:
If this data goes public I am going to email every single effected user on Plentyoffish your phone number, email address and picture. And tell them you hacked into their accounts.
Then i’m going to sue you In Canada, US and UK and argintina. I am going to completely destroy your life, no one is ever going to hire
you for anything again, this isn’t piratebay and we definately aren’t fooling around.
PlentyOfFish is the most popular dating site in Canada and the U.K.; it’s second only to SinglesNet in the U.S. Mr. Frind started Plenty of Fish in his spare time in 2003 and it’s grown into a lo-fi but high traffic cash cow.
The security breach was fairly serious for a site of PlentyOfFish’s size, according to commenters at the developer news forum Hacker News and security expert Brian Krebs. Mr. Frind said he has reset usernames and passwords for all users and fixed the vulnerability. Hacks that expose user passwords are dangerous because people often use the same password across multiple sites, potentially giving hackers enough access to steal identities, which was the major concern when Gawker’s user data was published by malicious hackers in December.
ajeffries [at] observer.com | @adrjeffries