Hacker Sells 57m Accounts On Dark Web As Top Dating Sites Deny Breach

data security-min

A number of top dating sites have recently spoken out to deny their involvement in a huge data breach that was discovered online last week.

The hack, which took place last year, allegedly saw hackers steal a database containing the personal information of more than 57m people from an as-yet unknown source.

And a hacker known as Peace has now acquired the extensive database from Russian hackers, and is said to be selling its contents on the dark web for approximately $400.

According to ZDNet, the cache of data contains information spanning three years between 2012 and 2015, and includes usernames, email addresses, and passwords, as well as mobile numbers and Facebook usernames.

The hacker has since claimed that the data was stolen from popular dating site Zoosk, as a result of exploiting weaknesses in the site’s software.

However following the claims it had come under attack, the dating company – which currently boasts a worldwide user base of 33m people – released a statement strongly denying it was the source of the hack.

In a statement, Zoosk said: “None of the full user records in the sample data set was a direct match to a Zoosk user.”

And after being approached by ZDNet to analyse the data, security expert Troy Hunt, who runs Have I Been Pwned, said he believes it was very unlikely the data came from the dating site.

Hunt said he was “very suspicious” when data was presented in the way this “breach” was.

In a blog post explaining his analysis of the data, and detailing exactly how he verifies hacks, the security expert said: “In the case of Zoosk, they inspected the data and concluded what I had – it was unlikely to be a breach of their system”.

He also contacted some of the people whose details were found in the breach, with some confirming the details and others denying that they had ever used Zoosk.

In a reply, one user named Rasmus Poulsen claimed that although he had registered to Zoosk in the past, the email address found for him in the breach was not used for that site, and instead was used to sign up to Badoo.

When approached, Badoo also fully denied it had been the victim of the hack, and on further examination Hunt concluded that most of the 88,000 emails containing “badoo.com” were in fact internal corporate accounts used for testing purposes.

Badoo founder Andrey Andreev later confirmed that the company had previously set up around 19,000 test email accounts that were used to test its competitors’ products.

Hunt also found a large number of email addresses ending with “@mobile.badoo.com” in the leaked data, which Badoo attributed to an internal email address system which is used when people sign up using their mobile number.

A spokesperson for the UK-based site said: “We have over 30 million phone registrations out of our 300 million registrations.

“Please take this as an indicator that the information provided to you is not the result of a database breach, but rather must have come from a different source not supplied by Badoo.”

Hunt confirmed this in his blog post, saying that the breach was clearly from neither dating site, saying: “Ultimately both Zoosk and Badoo helped us confirm what we’d already suspected: the “breach” might have some unexplained patterns in it but it definitely wasn’t an outright compromise of either site.”

No other companies have yet come forward to claim any of the data, as investigations into the hack continue.