Ashley Madison is hardly the only dating site attracting hackers. A security firm said it’s found evidence suggesting nearly 100 similar websites have been attacked since July — and some are still vulnerable.
Hold Security founder Alex Holden said Russian-language hackers boasted online of breaching 97 different websites, allowing attackers to pilfer credentials such as email addresses and passwords.
“The sheer number of the sites that are vulnerable and the basic vulnerabilities are alarming,” Mr. Holden told The Washington Times on Monday.
Researchers with Hold Security discovered a publicly accessible website that contained evidence of the hackers’ exploits, including the names of targeted sites and a “running list of vulnerabilities” that could be used to crack in, Mr. Holden said. He told The Times that the hackers boasted of using SQL injections — a basic maneuver in which malicious code is submitted through an entry form on a website in order to trick the server into returning internal data — in order to compromise dozens of various niche dating services, as well as a handful of job sites.
Mr. Holden declined to identify the victims because a number of them are still vulnerable, but said the domain names suggest they are based in countries around the world, including the United States, Germany, Norway and Italy. He said that Hold Security is working with at least one Computer Emergency Response Team, or CERT entity, to inform victims and minimize the impact.
Unlike the recent Ashley Madison breach, Mr. Holden said the information that hackers are stealing from dating sites aren’t detailed accounts of sexual interests and desires, but rather a comparatively mundane list of login credentials and email addresses that he said will likely be used for spam campaigns.
In the wake of the Ashley Madison hack, Mr. Holden penned an op-ed explaining that dating sites are attractive to spammers because they often keep records of user info, like gender, age and body shape, that can be exploited in order to run targeted email campaigns based on the spammers’ needs and demographics.
“As long as there is perceived value in dating sites’ data, there will be malicious individuals wanting to exploit them,” he wrote. “So as consumers of any online dating service, don’t just feel secure and satisfied with a vague security statement on a website. Do some research about site’s security, privacy and track record. Dating takes a leap of faith. Choosing a dating site should not.”
Also on Monday, The Los Angeles Times reported that senior U.S. officials believe Chinese and Russian intelligence agencies have aggregated user data stolen during major recent hacks and are cross-indexing the info in order to learn the identities of American spies.
While the Times said the officials claimed they saw evidence that data stolen during the OPM, Anthem and United Airlines hacks were being used by foreign governments, The Associated Press reported that hundreds of U.S. government workers may be implicated in the Ashley Madison breach following its own review of the leaked user records.
Last year, Hold Security found evidence a Russian crime ring accumulated 1.2 billion user-name and password combinations that were stolen on the Web. In 2013, Mr. Holden discovered hackers had breached the network of software giant Adobe and had taken source code from some of its products.
According to IDG, where Hold Security’s latest research was first reported, all of the hacked dating and jobs sites spotted by researchers were breached between July 4 and late-August.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.