Nothing like hearing reports of security issues to make one remember the adage "There but for the grace of God go I." Humility may be in order: substantially none of us are capable of delivering a system without at least one game-over bug in it.
Incidentally, their notification emails routinely contain your password in cleartext as a "reminder". I signed up for an account several years ago but was put off by the incredibly ugly design. Here's an excerpt from an old email from them (note, redacted by me!) This one is from a few months ago:
--
Hello REDACTED,
Thank you for signing up on 10/12/REDACTED 4:08:52 PM.
Remember your password is REDACTED.
--
The most recent one from had an empty string as my password, as in "Remember your password is ."
That is standard behavior for many web sites whose purpose includes no important personal information. vBulletin and some other forum engines do that by default. These site owners figure, probably rightfully so, that the support burden for a forgotten password exceeds the expected value of some black hat actually intercepting the plaintext email (low) times the meaningful impact of any ensuing activity (also low). The chief risk is in compromising a password that this user also uses for applications of high security impact, but it is not the responsibility of this particular site owner to protect a user from generally dumb behavior.
More generally: security best practice is not always about enforcing as tightly as you possibly can. Security has real costs and it's a cost-benefit tradeoff against many other factors.
That may be their assumption (clearly is, given the evidence), but I think it's a pretty poor one and it's certainly off-putting as a potential user.
A dating site contains, practically by definition, a fair bit of personal information. It's not online banking, but there's a lot of ugly stuff that an attacker could do if they could break into a large number of user accounts, and particularly if they could de-anonymize those accounts.
POF was pretty clearly sacrificing security -- which in this context means the potential privacy of their users -- in order to get more engagement and build userbase. Bluntly: they were taking risks with their users' data in order to build their business.
That's not terribly cool in my book, even though I can see why they might have made the decision. The fact that it's understandable doesn't mean that it's right.
They do have personal information, your password for that site and your email address. Lots of people reuse passwords, and that might be their email password. Once you have email & password, you have access to 90% of their online identities.
Nor does it transmit passwords in the clear when you go to recover an account.
Same thing with IP.Board (Invision).
The only one that I know of that has done so is phpBB, and I am not sure if it has been fixed or not because with their security track record I don't even want to try them.
