OkCupid Users Report a Credential Stuffing Attack – But The Platform Denies Any Breaches

• A number of OkCupid users have lost access to their accounts, but the platform says this isn't anything unusual.
• Some people were using a unique pass on OkCupid, so a user data leak is possible but still officially denied.
• No dating platforms offer 2FA, and some don’t even ask for confirmation when changing account credentials.

Multiple OkCupid users have contacted TechCrunch to report that hackers have taken over their accounts on the popular dating site, locking them out by changing the associated emails. OkCupid claims that they have not detected any successful stuffing attacks and that there has been no surge of failed login attempts that usually characterize such waves. However, and considering the recent revelations of massive user-credential data dumps that circulate shady hacking forums at low-cost, the reports are likely not just the manifestation of the usual account-takeover incidents. Taking into account other recent successful or unsuccessful stuffing attacks, these reports certainly don’t come as a surprise either.

According to the user reports, some were able to convince OkCupid to perform a password reset for them, while others were denied to be given any details about accounts not connected to their email addresses. As it seems, OkCupid did not send a confirmation email for the changing of the address, and hackers concluded this whole process directly from the platform’s account settings. What is especially interesting is that some of the users who lost access to their accounts claim that the passes they used were unique to OkCupid, so a data breach is bound to have occurred sometime in the recent past.

This has been flatly denied by OkCupid through Natalie Sawyer, the company's communications manager who stated that: “There has been no security breach at OkCupid. All websites constantly experience account takeover attempts. There has been no increase in account takeovers on OkCupid.” However, she has denied commenting further when questioned on whether they have any plans to increase user protection at their platform by adding the now-missing two-factor authentication option. As OkCupid is only one of a set of major dating sites that don’t offer this extra protective step to their users, it looks like love will come with its own risks this Valentine’s, and the timing of this news is certainly not accidental.

If you’re still willing to take your chances, ensure that at least whatever is in your power is taken care of. Update and run your antivirus tool, use unique passwords everywhere, pick a good password manager, and refrain from accessing their accounts on dating platforms from public networks and computers.

Have you experienced an account takeover on a dating site recently? Do send us the details or share your story in the comments section below. Also, feel free to share this story through our socials on Facebook and Twitter, helping us warn a wider audience.