The prominence of the internet has permeated most industries. One notable example is dating applications. These provide the opportunity for people to meet based on personal choices. There are many choices for this with consenting adults. One of these, OKCupid, had the opportunity to practice implementing their incident response plan with expertise! Of the population of industries to attack, what makes the dating applications an attractive target is the data they hold. This may include the names, email addresses, possibly payment information, and other pertinent data. This may be sold on the dark web, but also possibly used for credential stuffing.
Attack
This was a successful attack. A portion of OKCupid’s user accounts appears to have been compromised. The users did state their accounts had been accessed by an unauthorized party and the password had been changed along with the email address for the account. Effectively, this locked the users out of their own accounts. This does appear to be a credential stuffing attack. OKCupid has stated there had been no hacking of the user accounts. This may actually be the case, as the accounts taken over were sporadic, and without a trend. This may have been simply due to user negligence.
Could have, would have, and should have
To decrease the opportunity for this to happen to other organizations, there are a few things the business could do. These are relatively simple, yet effective. One is to have the system set up so that when there is a change in the account, the user receives an email prior to this taking effect. This would serve to notify the user, in case of an attack, of what is occurring with their account. The organization could also use MFA (multi-factor authentication) to assist with this. Generally, there is a cost with this, however, this is used by many businesses and works well.
Resources
Cyware. (2019, February 12). Dating site OKCupid potentially hit by a credential stuffing attack. Retrieved from https://cyware.com/news/dating-stie-okcupid-potentially-hit-by-a-credential-stuffing-attack-6aa9e21f
Dark Reading Staff. (2019, February 11). OKCupid denies data breach amid account hack complaints. Retrieved from https://www.darkreading.com/endpoint/okcupid-denies-data-breach-amid-account-hack-complaints/d/d-id/1333842
Information Security Buzz. (2019, February 12). OKCupid hit by hackers. Retrieved from https://www.itsecuritynews.info/okcupid-hit-by-hackers/
PYMNTS. (2019, February 11). OKCupid user accounts are hacked. Retrieved from https://www.pymnts.com/news/security-and-risk/2019/okcupit-user-accounts-hacked/
Security Experts. (2019, February). OKCupid hit by hackers. Retrieved from http://www.hackbusters.com/news/stories/4348667-okcupid-hit-by-hackers
Security Experts. (2019, February 12). OKCupid hit by hackers. Retrieved from https://www.informationsecuritybuzz.com/expert-comments/okcupid-hit-by-hackers/#disqus_thread
No comments:
Post a Comment