Plentyoffish CEO: We Were Hacked, Almost Extorted – So I Emailed The Hacker's Mom

The title of strangest WTF story of my morning is Plentyoffish CEO Markus Frind recounting how his online dating site got hacked, he and his wife were harassed and someone clumsily attempted to extort his company in the aftermath of the events. If that is in fact what happened …

First up, Frind points out that the site has indeed been hacked last week in a “well planned and sophisticated attack”.

Apparently, POF users’ email addresses, usernames and passwords were downloaded, although Frind does not say how many. Plentyoffish has already reset the passwords for all users and claims to have plugged the security hole that allowed the hackers to enter.

An official statement will apparently be published tomorrow, but Frind’s personal, sleep-deprived recount of what happened – “what it feels like to be hacked /extorted and the intense pressure and stress you are put under” – is well worth a read – for starters.

According to Frind, an Argentinian hacker named Chris Russo – who recently hacked The Pirate Bay – broke into Plentyoffish after two days of sleuthing, under his real name.

Then, this happened (still, according to Frind):

At midnight Miami time my wife gets a call from Chris Russo that plentyoffish has been hacked into and that Russians have taken over his computer and are trying to kill him, and his life is in extreme danger and they are currently downloading plentyoffish’s database. Chris is trying to create a sense of panic.

I listened in the background and I closed the breach if indeed there was one while my wife was on the phone and then I immediately ordered an investigation. Over the next 24 hours we got a lot of voice mails from Chris Russo frantically wanting to talk to us.

It gets much more complicated (and confusing) but you can read Frind’s blog post for more details on his side of the story.

Meanwhile, Russo, who describes himself as a bona fide security researcher, says he and his team only discovered a security vulnerability in the online dating site, that hackers were already exploiting the hole, and that he merely reported it to Frind and co in good faith.

Russo says the hole exposed usernames, addresses, phone numbers, real names, email addresses, passwords in plain text and PayPal accounts of more than 28 million users. According to Russo, he simply tried to make an arrangement with Plentyoffish to analyze the security issues in return for compensation.

Frind says Russo and his team were attempting to extort him:

They then say we should find a way to work together as they are a security company. In exchange for complete access to all of our source code and SQL servers they can make sure we aren’t attacked again. Now they want us to Sign NDA’s Contracts etc.

They also claim they know the locations of where the Russians dumped our data and they can delete it.

They then start talking about money because they need to incorporate a company that can deal with companies outside of Argentina and that will cost $15,000. They also needed to know if they were going to make over $100k/year or 500k/year as that would require different registrations…

Russo alleges that Frind is the one that went ballistic and threatened to “destroy his life” and making sure “no one is ever going to hire him for anything again” (see email).

Frind concludes his blog post by publishing pictures of the two persons who tried to extort him (Russo and his business partner “Luca”) and acknowledges that he went on a counter-offensive, threatening to sue both men and even emailing Russo’s mother.

Russo is actively posting comments on the blog post in response to Frind’s allegations, if you’re interested in watching the back and forth some more.

We’re awaiting the company’s official statement on the security breach. Accusations abound, but if personal data from Plentyoffish users was really as vulnerable to malicious attacks as Russo claims, then that’s what everyone should be focusing on first and foremost.

Update: more reading material: Hacked, Blames Messenger

(Thanks to Miguel Hernandez for the tip)