Grumo Media We create awesome product demo videos

GET A GRUMO DEMO VIDEO!

Plenty Of Fish Hacked – Chris Russo explains what happened

UPDATE 2: Chris Russo (aka ch russo) mentioned that he would be pleased to reply any questions about the incident on plenty of fish dot com, so if any of my readers is interested, feel free to ask him.
You can follow Chris Russo on Twitter @chrusso99
Or send him a message on Facebook at http://www.facebook.com/chrisrusso99.

UPDATE: Chris Russo asked anyone that wanted to hear his story to contact him, so I did and here is the full interview in Spanish.
You will find in this interview Chris gives a very detailed description of how he managed to hack Plenty Of Fish and what led to Marcus getting so upset.
Here is the Interview:

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.


More on this interview HERE.

I just got in contact with Chris Russo who managed to hack into the largest dating site on the world PlentyOfFish.com.
Marcus Frind, Founder of POF wrote an article accussing Chris of hacking /extorting POF and harassing his wife.

From Marcus personal blog:

This is not a statement from Plentyoffish, i’ll post something in the morning. This is a personal post about what it feels like to be hacked /extorted and the intense pressure and stress you are put under. Not to mention how annoying it is to have someone constantly harassing and trying to scare your wife at all hours of the day. I think a slept a total of 2 hours a night for a week….. Plentyoffish was hacked last week and we believe emails usernames and passwords were downloaded. We have reset all users passwords and closed the security hole that allowed them to enter.

Chris wrote this document explaining exactly what happened in his opinion:

30,000,000 users exposed on www.plentyoffish.com and a death threat from Mr. Markus Frind; please help.

Hi, I'm a security researcher from Buenos Aires, Argentina.

The Last Friday 21 of Januray, we discovered a vulnerability in www.plentyoffish.com exposing users details, including usernames, addresses, phone numbers, real names, email addresses, passwords in plain text, and in most of cases, paypal accounts, of more than 28,000,000 (twenty eight million users). This vulnerability was under active explotation by hackers.

My team decided to notify about this circunstances to Mr. Markus Frind, the founder and CEO of PlentyOfFish Inc. as soon as possible in order to stop any potential damage wich could be done, by the explotation of this vulnerability.

The flaw was reported the same night to Annie Kanciar, his wife, who was very thankfull with us, and contacted one of their developers in order to inform about this flaw.

The vulnerability was fixed and they remain in contact with us, since they were interested in hiring us as security professionals in order to make an analysis of the plataforms.

While we were creating the legal documents in order to proceed, Markus Frind got progressively more aggressive and unresposive with us, and told us to speak with their employees, Kate and Jay, because there was a serial killer, murdering people from the website.

We arrange to send the documents about the vulnerability we had found, a business plan, and the CVs of the personal working with us by Monday 31 of January.

The vulnerability, was properly documented by our team, without exposing any confidential user information. This was an error based MSSQL injection, that could allow any attacker to make a full backup of the databases used by the websever, and or gain direct access into the site.

By the nightfall of Sunday 30, Mr. Markus Frind sent me an email accussing us to steal his whole user database without a single proof, based on supposed information that "20 employees of him told him", and a weblink from www.freelancers.com asking for users information of POF. Here's is the mail itself:

http://www.freelancer.com/projects/zeesales_929663.html?utm_source=web&utm_medium=twitter

If this data goes public I am going to email every single effected
user on Plentyoffish your phone number, email address and picture.
And tell them you hacked into their accounts.

Then i'm going to sue you In Canada, US and UK and argintina. I am
going to completely destroy your life, no one is ever going to hire
you for anything again, this isn't piratebay and we definately aren't
fooling around.

Markus.

On Sun, Jan 30, 2011 at 3:19 PM, Kate Bilenki wrote:
> > Kate
> >
> > ---------- Forwarded message ----------
> > From: "chris"
> > Date: 2011-01-30 3:02 PM
> > Subject: Re: Following up
> > To: "Kate Bilenki"
> >
> > Hi Kate, how are you?
> > The documents are almost ready, would you like to speak by phone? I'm
> > feeling a bit insecure and nervous, the work to be done will take time,
> > cooperation and perhaps, physical presence, you may want to come to our
> > offices, or i could go there as well...
> >
> > I'll send the documents tomorrow, around 3pm Vancouver time. is there any
> > phone number we call you guys?
> >
> > Thanks in advance
> > sincerely yours;
> > chris russo
> >
> >
> > On 28/01/2011 05:12 p.m., Kate Bilenki wrote:
> >
> > OK thanks Chris, I'll watch out for your email. You have a great weekend as
> > well.
> >
> > Kate
> >
> > On Fri, Jan 28, 2011 at 11:59 AM, chris wrote:
>> >>
>> >> Hi Kate, yes, I'm doing a PDF with a plan of action (what should be done
>> >> in first instance, how we would work around it, what should be done once the
>> >> incident is totally controlled, and some other additional information, all
>> >> including times and prices), and gathering all my people CV's as well. I'll
>> >> email all this information to you this Monday, or before if it's possible.
>> >>
>> >> Have a great weekend,
>> >> sincerely yours;
>> >> chris
>> >>
>> >> On 28/01/2011 04:00 p.m., Kate Bilenki wrote:
>>> >>>
>>> >>> Hi Chris!
>>> >>>
>>> >>> Just thought I'd follow up on the proposal we discussed, please let me
>>> >>> know if you're still sending it :)
>>> >>>
>>> >>> Thank you very much,
>>> >>>
>>> >>> Kate
>>> >>> Plentyoffish.com

As we can see in the email, it textually says:

If this data goes public I am going to email every single effected user on Plentyoffish your phone number, email address and picture. And tell them you hacked into their accounts.
Then i'm going to sue you In Canada, US and UK and argintina. I am going to completely destroy your life, no one is ever going to hire you for anything again, this isn't piratebay and we definately aren't fooling around.

Right after that, There was 3 phone calls, which the local police are trying to recover, where he clearly said several times, that my people stole his user database, and he also mentioned that there was organized crime or mafias behind sites like the one he runs.

I explained to him several times that we were only reporting an error, but he refused to understand and kept accusing us, over the telephone communication he clearly threatened me again, saying that he was going to do something, just before mentioning his connection to criminal organizations.

In conclusion:

Plentyoffish.com exposes 30,000,000 users information, we reported that, and get nothing but trouble and are threatened, directly by the founder Mr. Markus Frind.

There's a video recorded showing the vulnerability itself, and the new's reporter Brian Krebs verified this vulnerability the last week himself (www.krebsonsecurity.com). All the communications by mail are also recorded and stored, in case it's needed.

In addition, there's a big chance that there was a real attack over the website, wich may put in risk usernames, passwords, full names, email addresses, and financial related information such as paypal account, credit cards, and others, of millions of users, wich Mr. Markus Frind refused to advice to their users.

Sincerely yours;
chris russo.
from insilence

for more information:
skype: ########
email: #############

http://plentyoffish.wordpress.com/2011/01/31/plentyoffish-hacked/#comment-119006


Related Posts:
Why Plenty Of Fish Stores Passwords in Plain Text
How to hack online dating to get 20 awesome dates in 60 days

How to Create an Awesome Demo Video for Your Business

Learn How to Create an Awesome Demo Video The Grumo Way

Whether you are a do-it-yourself type of startup or a beginner wanting to learn how to produce great demo videos, our video training series will be perfect to help you produce outstanding explanatory videos.
Click Here to Learn more about this special offer.

  • Pingback: Tweets that mention Plenty Of Fish Hacked – Chris Russo’s explains how he did it « Grumo Media -- Topsy.com

  • Pingback: Plentyoffish CEO: We Were Hacked, Almost Extorted – So I Emailed The Hacker’s Mom | JetLib News

  • Pingback: Plentyoffish CEO: We Were Hacked, Almost Extorted – So I Emailed The Hacker’s Mom | business,forex,gold,diamond,technology,cars and sport news

  • Pingback: Plenty Of Fish Hacked – Chris Russo’s explains how he did it « Interesting Tech

  • Pingback: Plentyoffish Hacked, Usernames and Passwords Stolen « TechPosite

  • Pingback: Googlat News » Plentyoffish Hacked, Usernames and Passwords Stolen

  • What happened

    POF guy was in Miami at a dating conference.

    What you’re seeing is what happens when you use too much cocaine: paranoid delusions, nonsensical lies, erratic behavior, etc.; don’t take it personally, he’ll forget about it when the coke wears off.

    • WendelOWilliams

      WHAT??? COKE WEARS OFF???? AAAAAAAAAAAAAAHHH!!! lol

      He’s probably trying to forget about it as we speak…

      Hey, anyone that thinks any part of the internet is at all secure? …man I wish I was that naive- just dumb-shit ignorant. Gives me a woody just thinking about it.

      For every decent code writer there’s a dozen code breakers not getting paid a DIME to do their deeds- and this is life, here on Earth…

      CTRL/ALT/DELETE- I wanna do-over~

  • Pingback: Plentyoffish Hacked, Usernames and Passwords Stolen Balakrishnan V K - Balakrishnan V K

  • Pingback: 30M accounts compromised at plentyoffish.com | PrivaSecTech

  • Pingback: Plentyoffish Hacked, Usernames and Passwords Stolen | luyos.com

  • Rapper

    Don’t take what personally? That POF is run by the mafia? LOL

  • Pingback: CitiPrice Internet Properties » Plentyoffish Hacked, Usernames and Passwords Stolen

  • http://is-hacked.com Adam

    Ahh they do cry when their coders leave gaping holes in their system, making their customers data insecure. Its easier to blame “the hacker” than using quality developers or even employing a security firm to check a qualy website developers work.

    Hindsight is a bitch.

  • Not Chris

    Is that Chris “The blackhat scammer and self proclaimed security researcher that take credits for other peoples work and claim he discovered it to get some recognition” Russo?

    He is not a researcher, he is just a failure of a former blackhat that decided to turn white after he scammed everyone else, Now he is taking credits of other peoples success such as the Piratebay hack.

    It wouldn’t surprise me if he had nothing to do with this breach at all in the beginning but either bought the database access or perhaps some of his friends gave access to him, like with the PirateBay and he decided to take all the credits for it.

    So my last words is that Chris Russo is not a researcher but a low life criminal that wants to get recognized.

    Stay away from this guy and don’t give him any attention he is just a lamer.

    • nogero

      @notchris

      And how do you know that?

      • Not Chris

        I know a lot about him, also known as s.pusher, blackmamba, bmamba. He have been scamming people for a lot of money over the years and rather than calling him a “Security researcher” I’d give him the title “Professional scammer”.
        Thats what he is and an a*slicker.

        He is nothing but a criminal and I hope that Marcus pulls some charges on him so he can spend a while in jail.

        His activity is strictly blackhat and I’m sure the POF database will be for sale on the blackmarket just like the Piratebay database.

  • Pingback: Plentyoffish Hacked, Usernames and Passwords Stolen

  • Pingback: Plentyoffish Hacked, Usernames and Passwords Stolen

  • Pingback: Plentyoffish Hacked, Usernames and Passwords Stolen

  • Pingback: Plentyoffish CEO: We Were Hacked, Almost Extorted – So I Emailed The Hacker’s Mom | Tech stuff center

  • JMiller

    I’ve read Markus’ account of what happened and I can say without reservation I would never, ever hire you to do any work for my firm. Extortion games are grounds for criminal action.

    • Bill Smith

      Did you REALLY read over Markus’ account of what happened? The one that looks like a sleep depraved 12 year old wrote it? This guy is clearly not a good security researcher but Markus seems like a complete douche-bag whose team couldn’t design a secure database/application to save their live! Who keeps plain text password in a database next to payment information? For his sake he had best be notifying users and their banks!

    • Brian

      I read Markus’ account as well and its written like a total whack job having a meltdown. He makes numerous contradictory and bizarre statements and comes as a person not in control of himself. What kind of multi-million dollar company has a blog on a free wordpress site? Chris’s account comes across as much more reasonable, and I would not doubt drug use and possible complete mental breakdown by the sinister Frind.

      • DLumber

        You guys are effing morons. POF is basically a mom and pop shop that blew up worldwide. Frind’s wife dealt with this Argentinian douche bag! Not some customer relations department or marketing arm. His wife! Does that give you any idea of the scale of his “coke-fuelled enterprise”! Yet another little miscreant sitting behind his computer trying to terrorize and puff out his chest in the process. Sure, go ahead and hack a bittorrent site…but to f%&k with a dating site and threaten the privacy of those users makes you a punk. Check out Frind’s blog and the photos of these little posers. Off with there heads!

        • Bill Smith

          Yeah, it blew up and now it’s imploding. The site was designed by morons and run by douche bags. This guy didn’t hack anyone (from what I’ve read/heard, he doesn’t have the skills) but this wasn’t even a true hack.. SQL injection is a basic script kiddie skill that anyone can figure out and understand… what’s unbelievable is that they stored the passwords in plain text. If they’re dumb enough to do that then god knows what else they stored that they shouldn’t have. Have you read Frind’s blog? He posts numerous things that are completely unprofessional (e.g. listing Assanges’ profile) and then he writes this nearly incomprehensible post about this incident. Markus is the one that threatened his users privacy.

          • Plentyoffishsucks55

            I pointed out many times in the past that Marcus Frind is very unprofessional. That is why his staff, especially his volunteer mods, are such rude individuals.

        • http://www.longdongjohn.com John Dong

          Threaten the privacy of the users? how about how Markus himself posted Julian Assange’s profile details on his blog? very professional conduct…

          http://plentyoffish.wordpress.com/2010/12/16/i-deleted-julian-assanges-account/

        • nogero

          @DLumber: I think you have the picture fairly accurate by my assessment. They buried your post over at krebsonsecurity. Krebs has a little nerdy fan club that buries any post they deem not in the club.

        • OhNoHeDi’unt!

          re: @ Dlumber~

          MAN, I had to read all the way down to you til someone got it right- just a site that blew up! First off, internet dating has classically been pay sites so make a free one, market it well and it WILL take over. People notice and in come the advertizing millions, like Craigslist, Facebook, etc. Doesn’t matter what it looks like, it’s how many people log in. I’m on it cuz- well, I’ve always thought that having to deal with that many F’ed up people should be something I get paid for so it was perfect for me. These sites also get as automatedly run as possible like Facebook, Craigslist, MySpace, etc. and programmers or whoever get complacent their original programming and occasional crappy content modifications are sufficient and their code looks more for format protocol rather than security so when they had a paid “upgrade” available on POF they should have modified everything accordingly, thus the pay pal accts. If you need extra security for your house wouldn’t you wanna do a bit more than put a single camera on the front door and assume all the other doors and windows will be okay… DICK!! (not you DLumber) Also who doesn’t know programmers are sensitive about they’re product being porous or poorly written? I can totally see Markus all fetal-position, thumb-in-mouth with the wife strapping on her UC Berkley combat boots…

          I usta like Pirate Bay too, now it’s like downloading Metallica from Napster in it’s final days (he says using his last surviving hard drive) ahh the memories- my first blue screen. Good times, good times . . . . .

  • Pingback: | WebNotes

  • Pingback: Technology news - Techvibes.com

  • aragami

    While we were creating the legal documents in order to proceed, Markus Frind got progressively more aggressive and unresposive with us, and told us to speak with their employees, Kate and Jay, because there was a serial killer, murdering people from the website.

    What is this a shitty horror movie?

  • Matt

    Any developer that’s still storing passwords in the clear needs to be banned from TOUCHING computing devices permanently. Seriously, WTF?

    • overworkedDevSchlepper

      I’d wager that the devs that made the site were/are overworked and poorly paid. If I was in that situation, I’d give little fuck whether passwords were stored securely or not – its the prick making bucketloads of cash off my sweat that gets to follow up when shit hits the fan ;) i.e. NOW

      • BillCole

        Being overworked and underpaid is a valid excuse for quitting a job, but those who use it an excuse for doing crappy work disqualify themselves from jobs that do anything of persistent value. An SQL injection vulnerability that exposes user passwords cannot have been written by someone who was underpaid, rather it was written by someone who demonstrably was overpaid: their code was of negative value.

        And yes, there are a lot of coders out there who are “underpaid” in the sense that they are not paid what a good developer should make, but who are really being paid far more than their work is worth.

  • Pingback: PlentyofFish Hacked, Founder Emails Hacker’s Mom | JetLib News

  • Pingback: ITsecurity.be - PlentyOfFish looses account details of 28mio users

  • Rick

    The English in the emails sent by Chris is significantly different from this post. The sentence structure, grammar and vocabulary are all much better in the emails. I’m not suggesting the meaning has been altered, but I do wonder if the emails have been re-written or else were written for Chris by someone else?

  • Pingback: plentyoffish dating site hacked by Got Haggis? - TribalWar Forums

  • Jack Bower

    Laugh. Everything about POF is low quality, from the graphics to the members to the worthless iPhone app. It doesn’t come as any surprise that Markus was too inept to code anything secure. COO/CTO, laugh. Chris, do the right thing and preemptively release all the contact information for Markus and anyone else associated with him. If he’s too cheap to make POF look like a website from the 2000′s, he’s likely too cheap to file suit against you.

  • Pingback: Dagens säkerhetsläsning « Blaufish

  • Rusty

    “Security Researcher”. Those 2 words are enough for me to form an unflattering opinion of what Mr Chris Russo does for a living…

    • dw

      Not sure why being a security researcher is inherently “unflattering”. I work for a security company and there is such a thing as ethical hacking. Security researchers often find flaws in systems and will notify the owner of the system so that they can handle it quietly. If met with ignorance or resistance, they can sometimes threaten to release the flaw publicly to embarrass the owner into action.

      POF not only stores passwords in plaintext but they EMAIL IT OUT to their users on a regular basis. Email is not a secure transmission medium. If they are storing sensitive information, like Paypal accounts, this is definitely acceptable.

    • nogero

      I agree Russo’s approach is not ethical.

      • nogero

        But he does like that photo of himself.

  • Pingback: PlentyOfFish.com got hacked « iXpLiZiT

  • codermuthafucka

    Mr. Markus Frind as Rick Flair coke snortin’ mafia lackey, LOL

    WHOOOOOOO!

    These guys deserve each other. Llamas all around…

  • Pingback: Dating Website Leak Results In Call To Hacker’s Mum | Gizmodo Australia

  • HackDefendr

    @Rusty STFU you wanker.

  • Daniel

    I had never even heard of plentyoffish.com until now, but boy does the site look like ass. PlentyOfFish.com, did a soccer mom with a knack for making one-page collages for her book club on Geocities do your design work?

    • Soccer Mom

      Yeah, only the biggest dating site on the web, why should you know about it?

      • yabba

        Because he has a life?

        I just looked at the site for the first time myself, and the homepage has 15 pics of guys who look like complete douchebags. LOL. Sorry, but I’ll pass too.

      • Oh, please

        Not for long, it won’t be.

    • http://www.longdongjohn.com John Dong

      Markus refuses to correctly resize the thumbnail images because if he does that he will lose millions of impressions and advertising revenue because people won’t have to click through to a profile to see if the person is good looking or not. Clearly he chooses money over the user experience, and POF does not deserve to be at the top of the dating site game. OKCupid is an infinitely better site, and also free.

      • Joshua

        Give CrushBlvd a try: http://crushblvd.com. Free, no ads and much better looking people on it.

  • Pingback: Oh, Sugar! » Plentyoffish CEO: We Were Hacked, Almost Extorted – So I Emailed The Hacker’s Mom

  • Pingback: BITLOG infotech hírek » Partra vetett halak

  • sean

    If its a free website, I don’t know why any of the users would have financial data such as their paypal info on the site. Sounds like someone is hacking info that doesn’t even exist.

    • Hgfghfsdfs

      do now they make you pay to see if your message have been read or not a few other things like gifts and shit

  • Pingback: Dating Site PlentyofFish Hacked in Bizarre Scheme | Dating Explained

  • Pingback: PlentyOfFish hacked – blames messenger » Musings on Database Security

  • Pingback: Interview with Plenty of Fish Hacker Chris Russo « Grumo Media

  • Pingback: Interesting Reading #676 – 123,000 MPH Plasma Engine, Google Wins “Super Wi-Fi”, printing food in 3-D and much more! – The Blogs at HowStuffWorks

  • http://www Nikita

    why you bring russians into it man? always russians, blame for everything. you hack, you hold your head high. and why? why you call his wife.

  • Pingback: Dating Site PlentyofFish Hacked in Bizarre Scheme

  • Pingback: Online Dating Site Plenty Of Fish Hacked: By Hacker Chris Russo? – NowPublic – News | Lexicomane.com

  • http://lamerzmustdie.com Lame

    he’s making 10M per month from adsense that’s why he’s nervous.
    money destroys brain cells.
    more money more damage ))

    lol.

    next time just download the database and deface the site. BWAHAHA!!

  • Pingback: Hackean PlentyOfFish, más de 30 millones de cuentas comprometidas | bSecure

  • Pingback: Mamma, mi hanno crackato il sito « DIGITAL COMBINES

  • Pingback: Gibizz News » Dating Site PlentyofFish Hacked in Bizarre Scheme (PC Magazine)

  • Pingback: Information Overload 2011-02-06 « citizen428.blog()

  • http://www.flirt1.net/traummann.html traummann

    Damn, i am from germany and want to her the interview is it possible to hear it in german or even in english? Would be great.

    • http://grumomedia.com Miguel Hernandez

      Hi, the whole transcription is on a separate page. Here is a link using Google Translate so you can read it in English (not perfect, but good enough to understand).
      Here is the link -> http://bit.ly/fpSagu

  • Tomdelorme1

    delete this dating site

  • Pingback: Product Demo Videos | Running an Animation Studio by Grumo Media – Interview by Animation Orbit « Grumo Media

  • me

    My profile was deleted and I don’t know why.  I asked them and all they said was to read the terms of agreement.  My computer was hacked and that’s all I can think is what happened.  They don’t even give you a chance to explain or defend yourself.  Bring down Markus and his dating sites.  More power to us, not him. 

  • Alexandra Symeon

    I am curretly hacked by a police officer in Wichita, KS who has hack into my POF account, my hotmail acct. and my facebook account.  I cant’t seem to resolve the situation.  If you have any suggestions, please let me know.  You can find me on facebook under Alex Symeon.

  • http://www.jumpdates.com free dating sites

    I was fortunate enough that my profile was not hampered but my messaged was lots. These sort of indecent make you susceptible towards things.   

  • http://www.jumpdates.com free dating sites

    I was fortunate enough that my profile was not hampered but my messaged was lots. These sort of indecent make you susceptible towards things.