Model Mayhem suffers second security breach in nine months revealing private member information

Late in the afternoon of January 10th, 2011 members began reporting getting logged in as some other members giving them complete access to another members’ account including private emails. This is the second time this has happened in nine months. The first time was back in April 2010. During that incident, Model Mayhem refused to send out a site wide announcement alerting members to the security breach.

Late in the afternoon of January 10th, 2011 members began reporting getting logged in as other members giving them complete access to another members’ account including private emails. This is the second time this has happened in nine months. The first time was back in April 2010. During that incident, Model Mayhem refused to send out a site wide announcement alerting members to the security breach. They elected instead to send out limited emails to some members whom they suspected were affected. At the time, I pointed out that such limited notifications were inadequate. Model Mayhem’s email system, which does not allow permanent deletion of emails, shows both sides of the conversation so a single account breach exposes hundreds of other members’ email conversations if that one member had exchanged emails with hundreds of members. It is simply impossible to determine which accounts were compromised.

Model Mayhem fails to notify members

Site problems on Model Mayhem are common and some may argue that it’s not unexpected for a site of that size and complexity. Site administrators and moderators have no control over technical problems on the site but admins do have control over how they handle notifications and alerts and on that front, they have failed miserably again. There were no site wide announcements, no updates on their Facebook page, Twitter page, Blogger page, and their Myspace page has not been used since November 2009. In a forum thread for site related matters, a mod actually forwarded the position that since moderators know nothing more than members, nothing really needs to be said. However, a simple site wide announcement alerting members of a possible breach of their private information is the responsible thing to do and may be required under many States’ security breach notification laws.

This one particular security breach occurred on the heels of a week long problem where members were not able to login from certain locations. The problem appears to be connected to one or more of Model Mayhem’s https authentication servers. As of this writing, it is unknown if any fixes have been attempted. The site has gone up and down 26 times in the last 24 hours.

Since the problems are related to their htts authentication servers and this is the second breach in nine months without the site taking appropriate steps to notify members, members should think twice before submitting any sensitive data on Model Mayhem including using a credit card to purchase any services from Model Mayhem. I am also recommending members change their password to one that is unique to Model Mayhem so if it is ever revealed, they won’t have to change it on any other sites that share the same email and password combination. As always, never reveal any financial information in private email. At this point, members should consider their private emails on Model Mayhem as anything but private.

  • For more information on protecting your privacy and the steps to take if you suspect your account may have been compromise, read this section from my post from the last time I wrote about this very same problem.
  • To get instant alerts of Model Mayhem going down, follow this Twitter account.
  • If you are having problems logging into your account, using a proxy server such has www.hidemyass.com or www.kproxy.com will allow you to log in.