Establishing Digital Trust: Don't Sacrifice Security for Convenience
In a recent blog post, eHarmony's Becky Teraoka stated that "a small fraction" of the dating site's user passwords have been compromised. Affected members' passwords have been reset, and those members will receive e-mails with instructions on how to access their accounts. "We deeply regret any inconvenience this causes any of our users," Teraoka wrote.
"This is probably an actual hassle -- unlike a comprised LinkedIn account, which at worst would result in someone logging in and listing an internship at somewhere weird -- because it could result in mortifying alterations to your personal dating profile," writes Gizmodo's Molly Oswaks. "Or illegitimate solicitations of a date you do not actually want to go on."
"eHarmony's blog ... omitted any discussion of how the passwords were leaked," writes Ars Technica's Dan Goodin. "That's unsettling, because it means there's no way to know if the lapse that exposed member passwords has been fixed. Instead, the post repeated mostly meaningless assurances about the website's use of 'robust security measures, including password hashing and data encryption, to protect our members’ personal information.' Oh, and company engineers also protect users with 'state-of-the-art firewalls, load balancers, SSL and other sophisticated security approaches.'"
"What really disappoints me is that eHarmony misses an opportunity to tell its users explicitly that if they use the same password on other websites they must change their passwords there also," writes Sophos' Graham Cluley. "As we've said many times, you shouldn't use the same password on multiple websites. Doing so is a recipe for disaster -- because if you get hacked in one place, all of your other online accounts at other sites which use the same password could fall shortly afterwards."