The hacking of db.singles.org continued
Well, I've recieved a few comments and emails about this and things are just getting worse. As of 7:38 AM 02.23.2009 they still haven't put anything on their site indicating anything even happened. Email is clearly not a valid option b/c of the nature of the breach (although it's still worth trying).
I realized something and went to check it and the story gets worse. On their homepage, there are two Galleries, one for men, one for women. The galleries are pictures of the members. There are several missing images - many of which weren't missing yesterday at the onset of this. I can only hope it's b/c people found out their accounts were breached, noticed the defacements and either removed the substituted pictures or removed their own picture - hopefully it's b/c they closed their accounts (which is what I recommended they do for each person I contacted). I don't want to make the problem worse but there's a important point to be made here.
Yesterday I noted that all that was needed to access an account was simply to change the 5 digit account number associated with it in the query string. Well, for each member of the gallery, they have a four letter abbreviation and then the account number. If there was any doubt who owned what account or you wanted to get a list of valid account holders, you could go straight to the gallery. If your profile had cscp10000 as the account in the querystring, and you see another member in the gallery who had cscp10001 listed, it wouldn't take much brain power to realize that 10001 was definitely their account information. It's very likely I'm not the only one to catch this. What this would allow you to do is basically scrape for account numbers that you knew were active and valid (as opposed to the loop/substitution approach I used which results in many dead accounts). Why on earth would putting information like this be of any value to anyone other than a lazy programmer? You can't identify me in any way by cscp10000 other than on this site. I could at least see if it had first names or something like that, but this had the exact value to inject into the querystring to get to the updatable account page.
Many of these people are widows. Many are older folks. Many are quite young. The demographics were pretty broad. But b/c of the nature of the site, I'm sure most had some degree of confidence in the integrity of the company (I don't). As of this writing, many of these folks probably haven't been notified and even if attempts were made, once their email accounts were breached, emails wouldn't be of much good. Singles.org obviously updated their site b/c the exploit doesn't appear to work anymore, how hard would it have been to update a paragraph's worth of HTML to notify people that this happened? Would you want to know something like this before signing up with a site? I damn sure would and I'm sure anyone else would too. But as of the time of writing, this is what you see when you go to their homepage:
They sure didn't overlook a single thing when it came to advertising did they? Too bad they didn't care as much about security of their member's information. Too bad they still don't care about it.
Perhaps the saddest part of all of this is that unless they notify members of what happened and explain to them all the likely ramifications, some members will have their money stolen and have all sorts of hell brought upon them and they'll never even know it. They may not even put 2 and 2 together... after all, how would you unless you happen to find out by some other means.
Well, I'm in the process of speaking to counsel about me contacting each person via the emails I have. I don't want sued and don't need hassled for spamming anyone but it doesn't look like db.singles.org is going to step up. BTW, you'll notice their claim of 30,000 members. I'm not calling them liars and don't know how they claim that number, but I can assure you there isn't near that many accounts, or weren't as of last night when this all happened.