As some of you recall, I tried the Dutch dating site Pepper.nl a while ago - and I was not impressed.
Well, Pepper.nl manages to disappoint even after you unsubscribe.
I got a message from them that they had been hacked by a hacker group named AntiSec, which had published the members account names, e-mail addresses and passwords.
Pepper did a lot of things wrong, and did one thing right.
1. I told them I wanted to get off, and all my data deleted. Since they sent me an e-mail I am still in their system.
2. They store passwords encrypted but not salted. What does that mean? It means that everybody who knows how the passwords were encrypted, only needs to encrypt a dictionary. Then, comparing the encryptions from the dictionary to the encryptions from the list, you can simply look up what the original password was. (Like looking for an address in a phone-book, by comparing the phone number - only, you can do it automated these days which makes it easy).
"Salting" means that a few extra characters get added to the password before encrypting, to prevent exactly this kind of attack.
According to AntiSec, Pepper did not even bother with this standard precaution!
3. One reason I quit Pepper was that I constantly failed to log in; and they cited "security problems". This makes it extra ironic that their security turns out to be so poor.
4. They did one thing right - they informed their members. Now, I could argue that they had no choice, and that they had been exposed too much already. But I don't want to be that vindictive - I am giving them the benefit of doubt.
Since it was a while ago that I was on Pepper, I don't even remember which password I used there... so to be on the safe side I have to change several ones. Thank you very much, Pepper.nl, for NOT deleting my data when you bumblers had to!
As a bonus, it proves that Pepper's membership count includes people who have long since unsubscribed. Like me. (Is anybody surprised about this....?)
All in all, Pepper should just leave the online dating business. They are not capable of it.
Update on July 4, 20.21: The timestamp on the e-mail I received yesterday is after 15.30. The hack was published on WebWereld.nl, a major Dutch IT news site, before 14.10 the same day. 14.10 was the time at which WebWereld added Pepper's comments to their article. So Pepper did indeed send the mail because they were forced to. Moreover, it seems that talking to the press was more important than warning the members. For shame!
Resources: the article on WebWereld.nl
