“I saw that and I thought that’s a little bit strange,” said Cluley. “Because how do they know people put on a little weight over Christmas? It’s not as if you update your dating profile to say ‘I’ve gorged myself on Yorkshire puddings’”.
Companies with great troves of customer data are always doing their upmost to play down a security breach. Facebook for example, last week updated its users of the breach that affected 50 million accounts in a blog post casually titled, “Security update”.
Others are reluctant to tell their customers at all; Yahoo was sued earlier this year for covering up the hack of 3 billion user accounts for months.
But what about companies at the other end of the scale, who fabricate and make up security breaches out of thin air?
AT IPExpo in London on Wednesday, Graham Cluley, independent cybersecurity researcher, presented a case study of such company.
Beautiful People Hack
BeautifulPeople.com is a dating website exclusively for people deemed by its community of users as physically attractive.
In 2011, the site issued a press release saying it had been hacked with a virus that dismantled its vetting process and allowed anyone create an account on the site, which it said allowed unattractive or overweight people to create an account.
“I saw that and I thought that’s a little bit strange,” said Cluley. “Because how do they know people put on a little weight over Christmas? It’s not as if you update your dating profile to say ‘I’ve gorged myself on Yorkshire puddings’.
A year later, BeautifulPeople said they threw out another 30,000 members after another supposed virus, dubbed the “Shrek virus”.
Cluley said that at that time, he was working for an anti-virus company.
“When I heard that a dating website had been hit by a virus, I was interested in seeing that piece of malware; we wanted to detect it because if a piece of malware had done such a thing, our anti-virus would be updated to protect other dating websites.”
“They didn’t return my calls, so I got curious about BeautifulPeople.”
Cluley contacted the company to learn more about the virus, to be told that the matter was being “internally investigated”.
BeautifulPeople also said it hadn’t stemmed from an external hacker but an employee, and the only ones who had to worry about their data were the 30,000 “ugly people” who had been booted off the site.
“And this story was scooped up and digested and regurgitated in the media around the world, who believed it hook, line, and sinker.
“Here we have a company who is lying about being hacked. What’s unusual is normally companies lie to say they haven’t been hacked, or they’d only been a little bit and not much data’s been given.
“In the case of BeautifulPeople, they lied to say they had been hacked to get more media attention and more people joining their website.”
There was a coda to the Beautiful People hack story, Cluley said.
BeautifulPeople got hacked — an actual hack that affected 1 million of its users, in the process divulging an array of specific personal information.
“Surprisingly, BeautifulPeople didn’t choose to do a press release about this security breach,” Cluley concluded.