This story was sent to us by email from Luca Fenochietto himself, in which he tries to get his side of the story out there which may well be the truth. The full story goes like this:
The Last Friday 21st January, Christian Russo and his partner Luca Fenochietto discovered a vulnerability in PlentyOfFish exposing users details, including usernames, addresses, phone numbers, real names, email addresses, passwords in plain text, and in most of cases, paypal accounts, of more than 28,000,000 (twenty eight million users). This vulnerability was under active exploitation by hackers.
Their team decided to notify Mr. Markus Frind (founder and CEO of PlentyOfFish Inc.) about these circumstances as soon as possible in order to stop any potential damage which could be done, by the exploitation of this vulnerability.
The flaw was reported the same night to Annie Kanciar, his wife, who was very thankful with us, and contacted one of their developers in order to inform about this flaw.
The vulnerability was fixed and they remained in contact with Christian Russo, since they were interested in hiring him and his team as security professionals in order to make an analysis of the platforms.
While we were creating the legal documents in order to proceed, Markus Frind got progressively more aggressive and unresponsive with us, and told us to speak with their employees, Kate and Jay, because there was a serial killer, murdering people from the website.
Christian Russo arranged to send the documents about the vulnerability he had found, a business plan, and the CVs of the personal working with him by Monday 31st January.
The vulnerability, was properly documented by his team, without exposing any confidential user information. This was an error based MSSQL injection, that could allow any attacker to make a full backup of the databases used by the web server, and or gain direct access into the site.
By the nightfall of Sunday 30, Mr. Markus Frind sent Luca Fenochietto an email accusing him and his team of stealing his whole user database without a single proof, based on supposed information that "20 employees told him", and a web link from FreeLancers asking for user information of POF. Here is the mail itself:
If this data goes public I am going to email every single effected user on Plentyoffish your phone number, email address and picture. And tell them you hacked into their accounts.
Then i'm going to sue you In Canada, US and UK and Argentina. I am going to completely destroy your life, no one is ever going to hire you for anything again, this isn't piratebay and we definitely aren't fooling around.
The conversation went like this:
On 28/01/2011 04:00 p.m., Kate Bilenki wrote:
Just thought I'd follow up on the proposal we discussed, please let me know if you're still sending it
Thank you very much,
To which Chris replied:
Hi Kate, how are you? The documents are almost ready, would you like to speak by phone? I'm feeling a bit insecure and nervous, the work to be done will take time, cooperation and perhaps, physical presence, you may want to come to our offices, or i could go there as well…
I'll send the documents tomorrow, around 3pm Vancouver time. is there any phone number we call you guys?
Thanks in advance sincerely yours; chris russo
OK thanks Chris, I'll watch out for your email. You have a great weekend as well.
Chris then emailed Kate back:
Hi Kate, yes, I'm doing a PDF with a plan of action (what should be done in first instance, how we would work around it, what should be done once the incident is totally controlled, and some other additional information, all including times and prices), and gathering all my people CV's as well. I'll email all this information to you this Monday, or before if it's possible.
Have a great weekend, sincerely yours; chris
As we can see in the email, it textually says:
If this data goes public I am going to email every single effected user on Plentyoffish your phone number, email address and picture. And tell them you hacked into their accounts. Then i'm going to sue you In Canada, US and UK and Argentina. I am going to completely destroy your life, no one is ever going to hire you for anything again, this isn't piratebay and we definitely aren't fooling around.
Right after that, there was 3 phone calls, which the local police are trying to recover, where he clearly said several times, that Christian Russo and his people stole the PlentyOfFish user database, and he also mentioned that there was organized crime or mafias behind sites like the one he runs.
Luca Fenochietto explained to him several times that he was only reporting an error, but Mark refused to understand and kept accusing Luca, over the telephone communication Luca said Mark clearly threatened him again, saying that he was going to do something, just before mentioning his connection to criminal organizations.
Plentyoffish.com exposes 30,000,000 users information, Christian Russo reported that, and as a result get nothing but trouble and are threatened, directly by the founder, Mr. Markus Frind.
There's a video recorded showing the vulnerability itself, and the news reporter Brian Krebs verified this vulnerability the last week himself . All the communications by mail are also recorded and stored, in case it's needed.
In addition, there's a big chance that there was a real attack over the website, which may put in risk usernames, passwords, full names, email addresses, and financial related information such as paypal account, credit cards, and others, of millions of users.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Adaptive Shield, the leading organization in SaaS Security Management, enables security teams to start securing their entire SaaS ecosystem by strengthening the organization's SaaS posture, and detecting and responding to threats.
Adaptive Shield's Platform Covers:
SaaS-to-SaaS App Access (3rd party connected apps)