Today, a spokesperson for ESingles provided an update to the MilitarySingles.com breach report. Their statement is as follows:
After a thorough investigation by our company programmers, it is our conclusion that our database was not hacked and that the claims of the Lulzsec group are completely false. Here are a couple points to note:
1. The total number of users in our database does not even closely match the number they have claimed to have exposed.
2. All user passwords in our database are encrypted and secure.
3. The location of the file the above user posted is in a repository directory on our website for user’s photos. The above user simply uploaded a photo of the Lulzsec group and does not mean in any way whatsoever that they were successful in actually hacking our service.
4. MilitarySingles.com was down for a few hours on March 25th due to regularly scheduled maintenance, not due to any outside activity.
We have taken measure to confirm our website and it’s database is secure and safe for our members, and will continue to do so. We are unable to confirm that the so-called checklist of email addresses have actually come from our user database.
I responded to their statement with some questions and comments under their reply and I hope they’ll provide further clarification.
Over on Softpedia, Eduard Kovacs shares my skepticism about ESingle’s denial: “Our separate investigations also lead us to believe that at least part of the data leak is legitimate. Nevertheless, MilitarySingles representatives were asked to provide further proof to back up their statement.”
Elsewhere on this blog, Dazzlepod also reports that some of the email/password combinations in the data dump have shown up in other sites/accounts and appear to be valid.
I am not sure why ESingles brings up the point about the site being down for maintenance as part of disputing the claimed hack. LulzSec Reborn never claimed they took the site. They said it was already down (presumably for maintenance) and they decided to grab the database.
One question that ESingles has not directly addressed yet is whether they even have a database with the name “cl_users” – the name associated with the dump. Do they?
I have no vested interest in proving or disproving any claimed breach. But I do have an interest in ensuring that people are notified if their data have been compromised, particularly if they have reused passwords. If ESingles is right, then their reputation may be taking an unfair hit, which is why I’ve made a point of publicizing their denials. But if they’re wrong, then their users need to be aware.
The database I downloaded and looked through contains so much unique data that I doubt that someone made such a huge effort to create a fake just for fame …
I mean if you poke into the user table and pick any random account you don’t need to be lucky to pull a real person out. Also the chat logs seem to be genuine and are connected to the user accounts. The chats are believable.
If someone would make a statistical analysis of the accounts with the right indicators like gender and age distribution and stuff like kids, income, etc … it’ll be helpful to validate the database.
If this is all to be seriously doubted then it makes sense that it might be a false flag op and that those pulling it have access to perhaps older but genuine data which they now sacrifice to keep the boat sailing …
If the steal was real it is rather stupid behaviour to
So who is sailing the “HMS Reborn”? Spooks? Hackers?
Chat logs? The file I dl didn’t have chat logs. You have a link/url?
Excuse me, but are you kidding?
What do the folks over on Softpedia “investigate”?
What I have is a 74.4MB rar which expands to 578.2 MB SQL dump. I had some trouble importing it due to encoding issued, charset stuff but finaly managed … wasn’t that hard in the end … just tedious …
Where did you get your stuff from?
Nope, not kidding. DL another copy now to check. Used the mirrors url linked from the original paste on Pastebin and all of those mirrors are 12.75 – 13.3 MB. So where did you find the file you’re talking about that has chat logs? I suspect Eduard saw the same stuff I saw, i.e., a data dump without chat logs.
Oh, sorry for not catching this comment …
[paste and url to datadump redacted/deleted by DataBreaches.net]
Feel free to edit this comment if you don’t want to have that kind of info here …
Download and then check yourself. There’s a multitude of messaging (instant_messenger_instant_messages, 21458), chat (cometchat, 170577) and private messages (priv_msg, 390909) in there … not that huge amount but enough.
Still, it’s to few for a good and active site but who knows …
Yep, it was a different database linked from a different paste announcing the hack. I’m DL the one you pointed me to now and will update later after I’ve had a chance to look at it. Thanks.
can you make the pastie available somehow please? No PM though … perhaps in a replay for a couple of minutes? I’d like to compare …
The ~13 MB version is still available from a number of mirrors for you to download so you can compare, such as the mirror at http://www.embedupload.com/?EU=4DR1M2FVGT&urlkey=MjkxMjAzMjkxMjAz
Hope you understand, but I don’t want to upload data to this site as I still fear/think it is real data. Once I have the one you pointed me to downloaded, I’ll start comparing the two also.
Ok, thanks.
I did not import your file but if I take the last ID the download I gave you contains a two days more. Last date in large DB is 2012-03-26 10:18:33
This must be bleeding edge stuff based on the date of the pastebin wbich is also 26th …
Yep. The last entry in the dbase I had dl was March 24 around 6 pm and the paste was posted on March 25. I assume (always risky) that ESingles was responding to the first/smaller dump. I wonder if they even know about the larger one, as they make no reference to chat logs in their claim that this was fabricated.
That’s what I’m wondering. Can you give me a link/url to get what you’re looking at, please?
But as we have both noted, MD-unsalted is not secure:
Of course, they’re claiming that those are not their data anyway, but if they’re wrong….
This all too stupid.
IF this is really military personnel it simply frightening how low the standards are and how low the security awareness is.
This is a feast for social engineers. What can be better than desperate men/women in possibly security relevant position …
Oh, and one more thing. The statement:
“All user passwords in our database are encrypted and secure.”
is only half true.
Encrypted, yes. Secure, no. All I say is “unsalted MD5”
Check out this breakdown of the passwords.
http://iqsecur.blogspot.com/2012/04/analysis-of-leaked-militarysinglesorg.html
Ian Qvist has managed to crack 92.2% of all passwords using a combination of brute-force, wordlists and rainbow tables.
I’m not surprised based on my smaller random checks. Of course, if ESingles continues to insist that those aren’t their databases/data….
The most frightening point in all this is the statement:
“After a thorough investigation by our company programmers”……
To me, this means that this has stayed in house without any professional forensic help? Programmers aren’t trained to catch subtle changes or to follow a trail that dead ends or becomes a nightmare. All in house people could potentially do is muddy the water so IF a forensic team is sent in, the data is so polluted that it is not worth digging into, a technologically based “cover-up” if you will.
If I had to take a SWAG, I’d say the middle to upper management hasn’t been actively involved with the functions at hand and have left the vehicle to drive itself. The clan of programmers aren’t pointing fingers, or spilling the beans on the issue. Management probably screams “find out whats really going on”, like a parent would say to a child. The staff isn’t going to put itself on report so what do you have here? Basically a stew pot of petrified waste.