Users complain of account hacks, but OkCupid denies a data breach

It’s bad enough that dating sites are a pit of exaggerations and inevitable disappointment, they’re also a hot target for hackers.

Dating sites aren’t considered the goldmine of personal information like banks or hospitals, but they’re still an intimate part of millions of people’s lives and have long been in the sights of hackers. If the hackers aren’t hitting the back-end database like with the AdultFriendFinder, Ashley Madison and Zoosk breaches, the hackers are trying break in through the front door with leaked or guessed passwords.

That’s what appears to be happening with some OkCupid accounts.

A reader contacted TechCrunch after his account was hacked. The reader, who did not want to be named, said the hacker broke in and changed his password, locking him out of his account. Worse, they changed his email address on file, preventing him from resetting his password.

OkCupid didn’t send an email to confirm the address change — it just blindly accepted the change.

“Unfortunately, we’re not able to provide any details about accounts not connected to your email address,” said OkCupid’s customer service in response to his complaint, which he forwarded to TechCrunch. Then, the hacker started harassing him with strange text messages from his phone number that was lifted from one of his private messages.

It wasn’t an isolated case. We found several cases of people saying their OkCupid account had been hacked.

Another user we spoke to eventually got his account back. “It was quite the battle,” he said. “It was two days of constant damage control until [OkCupid] finally reset the password for me.”

Other users we spoke to had better luck in getting their accounts back. One person didn’t bother, he said. Even disabled accounts can be re-enabled if a hacker logs in, some users found.

But several users couldn’t explain how their passwords — unique to OkCupid and not used on any other app or site — were inexplicably obtained.

“There has been no security breach at OkCupid,” said Natalie Sawyer, a spokesperson for OkCupid. “All websites constantly experience account takeover attempts. There has been no increase in account takeovers on OkCupid.”

Even on OkCupid’s own support pages, the company says that account takeovers often happen because someone has an account owner’s login information. “If you use the same password on several different sites or services, then your accounts on all of them have the potential to be taken over if one site has a security breach,” says the support page.

That describes credential stuffing, a technique of running vast lists of usernames and passwords against a website to see if a combination lets the hacker in. The easiest, most effective way against credential stuffing is for the user to use a unique password on each site. For companies like OkCupid, the other effective blocker is by allowing users to switch on two-factor authentication.

When asked how OkCupid plans to prevent account hacks in the future, the spokesperson said the company had “no further comment.”

In fact, when we checked, OkCupid was just one of many major dating sites — like Match, PlentyOfFish, Zoosk, Badoo, JDate and eHarmony — that didn’t use two-factor authentication at all.

As if dating wasn’t tough enough at the best of times, now you have to defend yourself from hackers, too.