Allrecipes Serves Up A Heapin' Helping O' Data Breach

There’s no doubt, cooking is big these days. From all-time high ratings for cooking competitions on TV to the proliferation of legions of online sites that offer recipes and advice, being a foodie—or at least a decent home cook—is in. But a security breach over at Allrecipes has left a bad taste in its members’ mouths—and reminds us that not everything that tastes good will agree with us later.

According to security researcher Graham Cluley, the self-styled "food-focused social network" is sending notification mails out alerting members that their email addresses and passwords may have been stolen. But here’s the secret sauce in this recipe of woe: The issue only affects those who registered an account prior to June 2013. Not exactly a perk for loyal membership. So that's definitely odd, kind of like making sushi out of spam (that’s really a thing!) or frying up milk custard.

Cluley reported that the notification emails go something like this:

“We recently determined that the email address and password typed into by members when they created or logged into their accounts prior to June 2013 may have been intercepted by an unauthorized third party. Based on information available to us, we cannot determine with certainty who did this or how this occurred. Our best analysis is that email addresses and passwords were intercepted during account registration or login by our members.”

“Out of an abundance of caution, we recommend that all members who registered or logged into prior to June 2013 promptly change their password. We are taking other steps as well and will continue to work diligently to deter unauthorized activity. You should promptly change your password on and on any other sites for which you use the same username and password.”

Sadly, there may be private communications to members about the issue, but in public, it’s all gluten-free tips and budget-friendly weeknight recipes.

“It’s official Twitter account continues to seem keener to tweet out links to '5 Girl Scout Cookie Copycats to Tide You Over Until Next Year' than spread word to its 60,000 followers that it has suffered a security breach,” Cluley said. “How hard would it have been to post a link to an advisory on the front page of its website, and tweet out a link to it?”

Personally, I also have to wonder why it required registration in the first place. The phenomenon of websites that require registration (and they always say it’s “always free” and “only takes a minute”) to access relatively basic information has gotten out of control (and hackneyed), kind of like the bacon-as-a-dessert phenomenon. I get that it’s part of the monetization effort—registered eyeballs are targeted eyeballs that command higher CPMs—but shouldn’t niche content be relatively targeted anyway?

In any event, Allrecipe’s approach to dealing with the breach—including a lack of transparency and details—is a bit half-baked. In this case, it may be a recipe for a backlash that could eradicate any tasty advertising bump from registration. 

What’s Hot on Infosecurity Magazine?