eHarmony Reveals BreachHashed Passwords Likely Exposed
The online dating website eHarmony has warned a "small fraction" of its users of a June 6 breach that likely exposed hashed passwords associated with online accounts.
According to the online technology website ArsTechnica, about 1.5 million of the unsalted hashes linked to plaintext passwords that have been cracked so far appear to belong to users of eHarmony. The site goes on to say that at least 420 of the passwords contain the strings "eharmony" or "harmony."
The breach comes on the heels of the LinkedIn compromise that may have exposed nearly 6.5 million hashed passwords associated with the social network's accounts (see LinkedIn Confirms Password Breach). Whether the two breaches are related has not yet been confirmed.
The eHarmony site, which has more than 20 million registered users, posted a blog June 6 about the compromise.
"After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected," the blog states. The company is continuing its investigation.
As a precaution, eHarmony says it has automatically reset passwords for affected members. The site says it's directly notifying those members via e-mail with additional instructions.
Graham Cluley, a senior technology consultant at Sophos who blogged about the eHarmony and LinkedIn breaches, believes the timing of the leaks is no coincidence.
"I would find it surprising if they weren't connected," Cluley says. "Of course, we'll wait to hear from both LinkedIn and eHarmony about whether they have identified how the security breach occurred."
Cluley also notes that the hashed eHarmony password list was posted in the same underground forums as the list of hashed passwords copied from LinkedIn.
Because 65 percent of online users use the same passwords for all or most of their online accounts, including banking accounts, the chances that their eHarmony or LinkedIn passwords, if they are revealed, could be used to access other accounts are high, says Gartner fraud analyst Avivah Litan.
Doug Johnson, vice president of risk management policy for the American Bankers Association, says the breaches exemplify why it is so critical for online users not to use the same passwords across all of their social and financial sites.
"One of the incentives to attack sites like LinkedIn is clearly to not just social-engineer, but also test whether individuals are using a consistent password rather than mixing it up," he says.