Friday, June 8, 2012

eHarmony's response: Really weak

Just like LinkedIn, eHarmony found themselves victim to hackers this week. But unfortunately (and again, just like LinkedIn), the hack revealed that eHarmony had failed to take even basic precautions to secure users' passwords.

Read all about the security gaffe in my blog post here.

And here comes eHarmony's not-so-mea culpa. It's even less inspiring than LinkedIn's official comment on the matter.

eHarmony says that "a small fraction of our user base has been affected" which is probably half-true since it seems that only 1.5 million of their passwords were leaked (presumably eHarmony has a much larger user base than this). Though they are probably also deluding themselves (or their users); the hackers only released the passwords that they needed help cracking. And, indeed, help did arrive.
Less than two and a half hours later, someone with the username zyx4cba posted a list that included almost 1.2 million of them, or more than 76 percent of the overall list. [...] As of Tuesday, following the contributions of several other users, just 98,013 uncracked hashes remained. (ArsTechnica)

eHarmony, liked LinkedIn, has to scramble to save face here. They can't just come out and say, "we were incompetent, sorry." But their actual comment, "Please be assured that eHarmony uses robust security measures, including password hashing and data encryption", is just a blatant falsehood. Password hashing on its own is not "robust security"; password hashing, salting, and iterating is robust. Had actual "robust security" been in place, the hacker community would not have been able to crack those 1.5 million passwords as quickly as it did.

But it gets worse: "We also protect our networks with state-of-the-art firewalls, load balancers, SSL and other sophisticated security approaches." Oh, yes, let's throw every techie-sounding term out there to impress our users! The one that really irks is "load balancers". Come on, eHarmony, you have got to be kidding with that one. Your load balancers are part of your "sophisticated security" measures? Load balancers do what it sounds like they do - they evenly distribute website traffic so no one server is overburdened. And what role do load balancers play in securing user passwords? None. None whatsoever. Lame. So, so lame, eHarmony.

Not "sophisticated," cut the BS
For all their claims of "sophisticated security" they failed to make use of the most basic password security best practices out there. And these aren't new, cutting edge techniques; the kind of encryption best practices we're talking about are almost ancient by tech standards. But somehow eHarmony and LinkedIn's developers missed that memo.

It's clear that their PR department is intent on painting them as the helpless victim here. The magically powerful hackers broke through their "robust" and "sophisticated" security and had their way with poor eHarmony. But the reality is that while, yes, anyone can get hacked, this is why you take all reasonable measures to properly encrypt your user passwords. They did not take all reasonable measures. They followed only one of the three best practices for securing passwords and now have a black eye because of it.

The hackers broke in, shame on them, but they should have found nothing more than a collection of millions of additional locks. They didn't. Shame on eHarmony. Now own up to it.