Details remain sketchy – has the hacker turned security consultant?
Russian online dating firm, Topface, which is said to have 92 million users, has forked out an undisclosed amount of cash to a hacker who stole 20 million user email addresses and put them up for sale.
Dmitry Filatov, CEO of the St. Petersburg-based dating service, said that as the hacker had not passed the data on to anyone no charges would be made against him or her.
Ransom or award?
And rather than describing the payment as a ‘ransom’, Topface is calling it “an award for finding a vulnerability”. Details of the vulnerability discovered have not been made public and the hacker is now rumoured to be working with Topface as a consultant of sorts.
Filatov said that the attacker had not accessed any data other than email addresses, such as passwords or private messages.
Topface is recommending that customers change their passwords, although Filatov added that about 95 percent of the dating website’s users access the service through their own social media accounts, and the company store users’ billing information.
Jason Hart, VP cloud services, identity and data protection at digital security firm Gemalto described it as a hack that could have easily been prevented.
He said: “It’s important to look at what form of security their customers were using. According to the company’s statement, customers use Single-Sign On (SSO) to access their accounts. Although some believe that this is a secure way to authenticate users because it bypasses passwords, SSO allows a user to use the same credentials (user name and password) to access many accounts and therefore, if the SSO account is still only using a static password it is still weak. Thus, it’s very important that companies enable One-Time Password (OTP) technology when using SSO, because there are more accounts at risk of being a target.
“Alongside the combination of OTP technology and SSO, we’d recommend that companies adopt a ‘secure breach’ approach that focuses on securing the data once intruders penetrate the perimeter defences. This means they need to attach security directly to the data itself using multi-factor authentication and data encryption, as well as securely managing encryption keys. That way, if the data is stolen, it is useless to the thieves.”
Filatov apologised to Topface users for any inconvenience and reassured them that the company plans to improve data-protection system, according to the statement.
How much do you know about Russian IT? Take our quiz!