Report: Match.com Sign-In Security Flaw Could Be Putting Millions Of User Passwords At Risk

Sure, love might be in the air — but that doesn’t mean tens of millions of Match.com users’ passwords should be floating around like so many bits of easily grabbed flotsam and jetsam. A new report says that due to an apparent security flaw in the dating site’s log-in process, millions of users are at risk for having their passwords stolen.

According to Ars Technica, a tip from an observant reader who noticed the issue in early March led to the find that passwords could be exposed whenever someone logs in, because Match.com doesn’t use HTTPS encryption to protect the page.

Simply using HTTP leaves the connection transmitting the data unprotected, giving anyone on the same public network as a user, for example, or other spies, the chance to snag those credentials, Ars points out.

On the other hand, employing an HTTPS connection makes the information unreadable to anyone but the end user and the server they’re connecting to.

Ars says its unclear how long the page has been unencrypted, and asked Match.com for comment on the situation.

When Consumerist reached out for comment, a spokesperson told us, “We are aware of the issue and are working on a fix.”

Match.com’s HTTP-only login page puts millions of passwords at risk [Ars Technica]

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.