07 February 2011 | 13,133 views

Canadian Dating Site PlentyofFish.com Hacked

Check Your Web Security with Acunetix

Something which caused some kind of stir last week was the hacking of the Canadian dating site Plenty of Fish (sometimes known as PoF) which rose to fame on the Webmaster forums for SEO due to a picture of Markus Frind holding an Adsense cheque for $132,000 for two months earning.

For anyone not familiar with the site, it’s a kind of craigslist for dating – simple oldskool interface, no charges, no premium memberships and finally a place for all the other dating sites to advertise.

The news started to come out that there were some major flaws in the site and hackers had managed to download the whole member database including plain text passwords as no hashing was using (shocker).

What do you do when you find out that someone has hacked into your Website and possibly stolen the personal information of thousands of users?

If you’re Markus Frind, you email the hacker’s mother.

It’s all part of a bizarre story involving an an Argentinian hacker, a Vancouver Website owner, a former Washington Post reporter, threatening phone calls and alleged attempted extortion.

On Sunday night, Mr. Frind, the founder and chief executive of the popular free online dating website PlentyOfFish.com — which is headquartered in Vancouver — posted a note to his personal blog telling a story about how a hacker from Argentina allegedly tapped into the Plenty of Fish database and stole the emails, user names and passwords of the site’s users.

In the 990-word blog post, Mr. Frind details his account of what happened.

Plenty of Fish hacked, CEO recounts bizarre ordeal with hacker in blog post

Markus Frind went on to rant about the hacker Chris Russo and some kind of extortion scheme that was going on, plus he made some kind of underhanded swipe (which he later took back) that Brian Krebs was involved in it.


This is not a statement from Plentyoffish, i’ll post something in the morning. This is a personal post about what it feels like to be hacked /extorted and the intense pressure and stress you are put under. Not to mention how annoying it is to have someone constantly harassing and trying to scare your wife at all hours of the day. I think a slept a total of 2 hours a night for a week….. Plentyoffish was hacked last week and we believe emails usernames and passwords were downloaded. We have reset all users passwords and closed the security hole that allowed them to enter.

Plentyoffish Hacked.

Krebs of course also reported on things from his side.

Hackers have breached the database of online dating site PlentyOfFish.com, exposing the personal and password information on nearly 30 million users. In response, the company’s founder has implied that the editor of KrebsOnSecurity.com was involved in an elaborate extortion plot.

PlentyofFish.com Hacked, Blames Messenger

We at Darknet also received an e-mail from someone identifying himself as Chris Russo last week, the e-mail is reproduced in full below:

From: chris russo
Subject: 30,000,000 users exposed on www.plentyoffish.com and a death threat from Mr. Markus Frind; please help.

Message Body:
Hi, I’m a security researcher from Buenos Aires, Argentina.

The Last Friday 21 of Januray, we discovered a vulnerability in www.plentyoffish.com exposing users details, including usernames, addresses, phone numbers, real names, email addresses, passwords in plain text, and in most of cases, paypal accounts, of more than 28,000,000 (twenty eight million users). This vulnerability was under active explotation by hackers.

My team decided to notify about this circunstances to Mr. Markus Frind, the founder and CEO of PlentyOfFish Inc. as soon as possible in order to stop any potential damage wich could be done, by the explotation of this vulnerability.

The flaw was reported the same night to Annie Kanciar, his wife, who was very thankfull with us, and contacted one of their developers in order to inform about this flaw.

The vulnerability was fixed and they remain in contact with us, since they were interested in hiring us as security professionals in order to make an analysis of the plataforms.

While we were creating the legal documents in order to proceed, Markus Frind got progressively more aggressive and unresposive with us, and told us to speak with their employees, Kate and Jay, because there was a serial killer, murdering people from the website.

We arrange to send the documents about the vulnerability we had found, a business plan, and the CVs of the personal working with us by Monday 31 of January.

The vulnerability, was properly documented by our team, without exposing any confidential user information. This was an error based MSSQL injection, that could allow any attacker to make a full backup of the databases used by the websever, and or gain direct access into the site.

By the nightfall of Sunday 30, Mr. Markus Frind sent me an email accussing us to steal his whole user database without a single proof, based on supposed information that “20 employees of him told him”, and a weblink from www.freelancers.com asking for users information of POF. Here’s is the mail itself:

http://www.freelancer.com/projects/zeesales_929663.html?utm_source=web&utm_medium=twitter

If this data goes public I am going to email every single effected
user on Plentyoffish your phone number, email address and picture.
And tell them you hacked into their accounts.

Then i’m going to sue you In Canada, US and UK and argintina. I am
going to completely destroy your life, no one is ever going to hire
you for anything again, this isn’t piratebay and we definately aren’t
fooling around.

Markus.

On Sun, Jan 30, 2011 at 3:19 PM, Kate Bilenki wrote:
> > Kate
> >
> > ———- Forwarded message ———-
> > From: “chris”
> > Date: 2011-01-30 3:02 PM
> > Subject: Re: Following up
> > To: “Kate Bilenki”
> >
> > Hi Kate, how are you?
> > The documents are almost ready, would you like to speak by phone? I’m
> > feeling a bit insecure and nervous, the work to be done will take time,
> > cooperation and perhaps, physical presence, you may want to come to our
> > offices, or i could go there as well…
> >
> > I’ll send the documents tomorrow, around 3pm Vancouver time. is there any
> > phone number we call you guys?
> >
> > Thanks in advance
> > sincerely yours;
> > chris russo
> >
> >
> > On 28/01/2011 05:12 p.m., Kate Bilenki wrote:
> >
> > OK thanks Chris, I’ll watch out for your email. You have a great weekend as
> > well.
> >
> > Kate
> >
> > On Fri, Jan 28, 2011 at 11:59 AM, chris wrote:
>> >>
>> >> Hi Kate, yes, I’m doing a PDF with a plan of action (what should be done
>> >> in first instance, how we would work around it, what should be done once the
>> >> incident is totally controlled, and some other additional information, all
>> >> including times and prices), and gathering all my people CV’s as well. I’ll
>> >> email all this information to you this Monday, or before if it’s possible.
>> >>
>> >> Have a great weekend,
>> >> sincerely yours;
>> >> chris
>> >>
>> >> On 28/01/2011 04:00 p.m., Kate Bilenki wrote:
>>> >>>
>>> >>> Hi Chris!
>>> >>>
>>> >>> Just thought I’d follow up on the proposal we discussed, please let me
>>> >>> know if you’re still sending it :)
>>> >>>
>>> >>> Thank you very much,
>>> >>>
>>> >>> Kate
>>> >>> Plentyoffish.com

As we can see in the email, it textually says:

If this data goes public I am going to email every single effected user on Plentyoffish your phone number, email address and picture. And tell them you hacked into their accounts.
Then i’m going to sue you In Canada, US and UK and argintina. I am going to completely destroy your life, no one is ever going to hire you for anything again, this isn’t piratebay and we definately aren’t fooling around.

Right after that, There was 3 phone calls, wich the local police is trying to recover, where he clearly said several times, that my people stole his user database, and he mentioned that there was organized crime or mafias behind sites like the one he runs.

I explained him several times that we were only reporting an error, but he refused to understand and keep accusing us, over the telephone communication he clearly threath me again, saying that he was going to do something, just before mentioning about this criminal organizations.

In conclusion:

Plentyoffish.com exposes 30,000,000 users information, we reported that, and we got in troubles, and treaths, directly by his founder Mr. Markus Frind.

There’s a video recorded showing the vulnerability itself, and the new’s reporter Brian Krebs verified this vulnerability the last week himself (www.krebsonsecurity.com). All the communications by mail are also recorded and stored, in case it’s needed.

In addition, there’s a big chance that there was a real attack over the website, wich may put in risk usernames, passwords, full names, email addresses, and financial related information such as paypal account, credit cards, and others, of millions of users, wich Mr. Markus Frind refused to advice to their users.

Sincerely yours;
chris russo.
from insilence

for more information:
skype: chrusso99
email: chris.russo99@gmail.com

So, we leave it to your discretion as to what you make of this whole fiasco.



Recent in Exploits/Vulnerabilities:
- Hacking Your Fridge – Internet of Things Security
- Important OpenSSL Patch – 6 More Vulnerabilities
- Spotify Hacked – Rolls Out New Android App

Related Posts:
- Cupid Media Hack Exposes 42 Million Passwords In Plain Text
- Ticketcharge.com.my website hacked
- Netscape.com HACKED With Cross Site Scripting (XSS) Vulnerability

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 226,864 views
- AJAX: Is your application secure enough? - 119,044 views
- eEye Launches 0-Day Exploit Tracker - 85,035 views

Advertise on Darknet

5 Responses to “Canadian Dating Site PlentyofFish.com Hacked”

  1. Bogwitch 7 February 2011 at 11:09 pm Permalink

    I see this as a typical lashing out at the bearer of bad news.

    The phrase ‘Don’t shoot the messenger’ seems very appropriate!

    I don’t agree with the tactic of hacking a site in order to sell security services to the ‘victim’ – an illegal act would not convince me to do business with ther perpetrator however I do not think that one with truly evil intent would approach their victim in a commercial setting following the hack.

  2. John 8 February 2011 at 7:09 pm Permalink

    I agree with bogwitch I don’t agree with the tactic of hacking a site in order to sell security services to the ‘victim’

    I do not think of Marcus as a victim quite the opposite, he is a market leader in business and this is why his site was picked on.

    The person who hacked his site will have any of his success or fame rub off on him.

  3. anonymous 10 February 2011 at 1:37 pm Permalink

    We are many and forth the equivalent of haskell hasslehoff to the owner who is a known turd! Assist anonymous in hacking Markus Frind CEO of Plentyoffish.com. We are many and forth the equivalent of haskell hasslehoff to the owner who is a known turd! Assist anonymous in hacking Markus Frind CEO of Plentyoffish.com. We are many and forth the equivalent of haskell hasslehoff to the owner who is a known turd! Assist anonymous in hacking Markus Frind CEO of Plentyoffish.com. We are many and forth the equivalent of haskell hasslehoff to the owner who is a known turd! Assist anonymous in hacking Markus Frind CEO of Plentyoffish.com. We are many and forth the equivalent of haskell hasslehoff to the owner who is a known turd! Assist anonymous in hacking Markus Frind CEO of Plentyoffish.com. We are many and forth the equivalent of haskell hasslehoff to the owner who is a known turd! Assist anonymous in hacking Markus Frind CEO of Plentyoffish.com. We are many and forth the equivalent of haskell hasslehoff to the owner who is a known turd! Assist anonymous in hacking Markus Frind CEO of Plentyoffish.com. We are many and forth the equivalent of haskell hasslehoff to the owner who is a known turd! Assist anonymous in hacking Markus Frind CEO of Plentyoffish.com. We are many and forth the equivalent of haskell hasslehoff to the owner who is a known turd! Assist anonymous in hacking Markus Frind CEO of Plentyoffish.com. We are many and forth the equivalent of haskell hasslehoff to the owner who is a known turd! Assist anonymous in hacking Markus Frind CEO of Plentyoffish.com. We are many and forth the equivalent of haskell hasslehoff to the owner who is a known turd! Assist anonymous in hacking Markus Frind CEO of Plentyoffish.com. We are many and forth the equivalent of haskell hasslehoff to the owner who is a known turd! Assist anonymous in hacking Markus Frind CEO of Plentyoffish.com.

  4. pwnsauce 10 February 2011 at 9:51 pm Permalink

    lol@anonspam

    Anyways, in my opinion big, high profile sites, will always be targets. And this is just an entertaining as hell incidence

  5. rob 13 March 2011 at 2:54 am Permalink

    i read there privacy policy and it says if you get hacked it is your problem.
    They spent more time on there terms and conditions than on there privacy policy.