MilitarySingles.com has apparently been hacked.
The hack was announced on Twitter earlier today by Operation Digiturk and a database of 163,792 names, usernames, e-mail addresses, IP addresses, and passwords has been dumped on the Internet. The tweet was accompanied by the hashtags #anonymous #antisec #infosec
I don’t know if the site is aware of the hack and eSingles Inc.’s own web site does not seem to exist any more. I sent a courtesy notification to MilitarySingles.com to alert them to the hack with a request that they let this blog know what steps they will take to protect their users.
In any event, if you know a member of the military who uses or has used the site, do them a favor and suggest they change their password on any site where they may have reused it – including their mil.gov email account.
Update Mar. 26: See comments below from MilitarySingles.com and replies to same. As of this afternoon, the site no longer displays pictures of members on its home page. Instead, I see this message, “Error: Slideshow data cannot load due to security issue.”
Update 2/Clarification: Although the first mention I saw on Twitter was from @oDigiturk, a statement on Pastebin indicates that LulzSec Reborn was responsible for this hack.
Update 3: In a March 28 story in the L.A. Times, Salvadore Rodriguez got a statement from
Robert Goebel, chief executive of ESingles Inc., which owns the site. He is quoted as saying:
“Regardless of whether it was a true claim or false claim,” he said, “we’re treating it as though it’s true just to be safe.”
But Goebel said he did not think the dating site was actually hacked. He said it was down for some time over the weekend, but that was because of scheduled maintenance. He also said he was not sure how the hackers could have gotten so many accounts when the site has only about 140,000 members.
The LulzSec hackers are “probably trying to make a name for themselves or something,” Goebel said. “Just because we have the name ‘military’ in it, that might be why they decided to claim they went after us.”
Goebel said members of the dating site shouldn’t panic. Even if the hackers were successful, he said, the site’s passwords are encrypted so all accounts are safe.
Say what? Didn’t he see the proof that LulzSecR posted, or my statement that the entries in the data dump matched the visible profiles?
And as to the passwords being encrypted, I ran a bunch through an MD5 tool and it was amazing how many passwords were immediately revealed.
Frankly, I don’t know what to make of their public statements. This is somewhat mind-boggling.
Update 4: ESingles has issued a new statement in which they indicate that their concluded investigation indicates no hack occurred. See the comment below.
We at ESingles Inc. are aware of the claim that someone has hacked MilitarySingles.com and are currently investigating the situation. At this time there is no actual evidence that MilitarySingles.com was hacked and it is possible that the Tweet from Operation Digiturk is simply a false claim.
We do however take the security and privacy of our members very seriously and will therefore treat this claim as if it were real and proceed with the required security steps in order to ensure the website and it’s database is secure.
Admin, MilitarySingles.com
Care to define “actual evidence?” I compared the database in the .rar file to the “online members” pictured on your home page and the entries in the data dump correspond to those usernames.
The fact that the last entry in the data dump was time-stamped around 6 pm yesterday should make it a bit easier for you to find evidence. Good luck.
There is no evidence that was hacked?
Hello admin https://www.militarysingles.com/esvon/files/index.html you are dumb
lol. win.
Very clever lulzsec. Good job!
militarysingles.com checklist for users available here http://dazzlepod.com/militarysingles/
Haha that “Admin” aka Goebel should probably google effective PR strategies. Lolz ftw
After a thorough investigation by our company programmers, it is our conclusion that our database was not hacked and that the claims of the Lulzsec group are completely false. Here are a couple points to note:
1. The total number of users in our database does not even closely match the number they have claimed to have exposed.
2. All user passwords in our database are encrypted and secure.
3. The location of the file the above user posted is in a repository directory on our website for user’s photos. The above user simply uploaded a photo of the Lulzsec group and does not mean in any way whatsoever that they were successful in actually hacking our service.
4. MilitarySingles.com was down for a few hours on March 25th due to regularly scheduled maintenance, not due to any outside activity.
We have taken measure to confirm our website and it’s database is secure and safe for our members, and will continue to do so. We are unable to confirm that the so-called checklist of email addresses have actually come from our user database.
Admin, MilitarySingles.com
Thank you for coming back to provide that update. I will post a link to it so that if people don’t come back to this entry, they will see your update.
If I seem skeptical, however, it’s because the entries in the data dump do match the pictures your site displays of “members online.” I have been covering this stuff for a while now, and frankly, have never known Anonymous-related data dumps to be fabricated.
As to the passwords in the data dump, I ran a bunch of them through an MD-5 cracker and was able to figure out the passwords. *If* you used MD-5, please note it’s no longer considered very secure.
Have you decided whether to notify users to change passwords – on the off-chance that you’re wrong – or will you not be issuing any statement?
Thanks for keeping this site updated.
BTW, it’s worth noting quite a number of the accounts (email/password combo) are being reused on other sites, e.g. Twitter and webmail, further confirming the validity of the accounts.
How do you know the passwords are being reused? Did you crack them or test them, or are people reporting that to you?
Taylor Amerding has an article this morning on CSO, “ESingles must face reality of LulzSec Reborn’s MilitarySingles.com hack, experts say.”
Given the various state laws, this poses an interesting dilemma. If ESingles believes that they have not been hacked, they may conclude they have no duty to notify states or individuals (although the definition of a breach varies across states). If they’re wrong and don’t notify, they expose themselves to all kinds of problems and potential fines.
This is one of those situations where I think “an abundance of caution” should apply and at the very least, they should notify users to change passwords on other sites if they reused passwords. But that’s just my opinion.