Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That's shocking! Really surprised that they don't see this as an issue, I would expect that it's trivial to social engineer someone into forwarding you one of those emails.


It also really takes the wind out of the sails of their whole "you must give us your phone number for security" song and dance and makes it clear the phone number was only for tying your username to your real world identity.


Maybe, but how much value is there in taking over people's OKCupid account?


Someone I knew once sent me an urgent direct message over Twitter that they were stranded in the City of London and needed me to wire money. Phone gone, computer stolen, they could only communicate by Twitter. Of course it wasn't actually my friend, but a 2-bit hacker. But if they were to collect enough accounts and message enough people, someone might bite. Maybe someone would give up something truly valuable if they really thought it was someone they cared about, a long lost son, or a pined-for ex.


If there's no value or downside to someone taking over my OKCupid account, why have a password on it in the first place?


This is a horrible take, obviously there’s different levels of security and risk associated with everything.


A horrible take on how much value is there in taking over people's OKCupid account?

If there's literally no value in taking it over, then why password protect it in the first place?

I have an online photo album and while I could password protect it and share the password with people that I want to share it with, there's very little value (perhaps there's some small social engineering value) in protecting it. If there's no value in exposing it, why bother password protecting it?


It's a bad take because you made it sound like I said it was worthless, when all I implied was that it isn't worth much. There's a difference.


I took your reply as meaning it has so little value that there's no reason to or even harm if someone takes it over.

Did you mean that it's valuable enough that someone should protect it, but shouldn't bother protecting it too much (like, anyone with the URL should have access to it) since it has little value? I'm not sure I really understand the nuance, but I'd be awfully surprised if I forwarded an email to someone from OKCupid and it gave them passwordless access to the account.


There is a huge market in romance scams and people lose huge amounts to it, most people are clever enough to spot them but many aren't. Now if you're able to intercept a genuine conversation it'd give you a good advantage.

Even at a lower level, just sending a bunch of messages asking for money for a cab/train/airfare might yield good returns. People let their guard down when there's a possibility of getting laid.


You'd be surprised, alot - but I'd wager it's easier to just save the photos and open up your own honeypot that way.

But the messages could be interesting.


The value is relative to motivation, I'd posit




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: