42 million passwords exposed following massive dating website hack

In what must rate as one of the worst password security breaches ever, it has been discovered that the names, addresses, dates of birth and unencrypted passwords of over 40 million online daters have been stolen by hackers.

Yes, that’s right, the passwords were not protected at all. They were stored by the hacked company in *plaintext* format. A disaster waiting to happen…

Online dating user information. Source: Brian Krebs

Online dating user information. Source: Brian Krebs

Security blogger Brian Krebs has reported that an intrusion at online dating firm Cupid Media earlier this year resulted in hackers getting away with the haul of valuable data earlier this year. It has since been discovered on a web server, alongside data stolen in other hacks, including a recent attack against Adobe.

Asian Dating websiteCupid Media is a firm based in Queensland, Australia, that runs a wide variety of niche dating websites including AsianDating.com, ChristianCupid.com, SingleParentLove.com, GayCupid.com, and ThaiLoveLinks.com amongst many others.

In conversation with Krebs, Cupid Media managing director Andrew Bolton said that the database included details of inactive users, as well as current customers, and was probably related to a security breach that occurred at the company in January 2013.

Andrew Bolton told Brian Krebs:

“In January we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts. We are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification.”

What’s alarming is that there doesn’t appear to have been any media reports confirming that a security incident involving customer data occurred at Cupid Media in January 2013. That is very surprising if such a large number of users were put at risk.

Did customers not get informed? Did the firm sweep it under the carpet?

Right now, the true facts remain unclear.

However, what is very clear is that many of the passwords exposed in this latest security breach are woefully bad choices by Cupid Media’s users.

Here is a list of the ten most commonly used passwords, according to the Cupid Media customer database seen by Brian Krebs:

Password Number of times used
123456 1,902,801
111111 1,212,235
123456789 574,914
1234567 173,235
12345678 140,734
000000 107,996
iloveyou 91,269
1234567890 81,775
?????? 79,046
123123 79,013

Pretty pitiful. And the same can be said for the top non-numeric passwords:

Password Number of times used
iloveyou 91,269
lovely 54,045
qwerty 40,023
password 37,241
azerty 33,579
loveme 32,645
aaaaaa 30,273
mylove 28,266
iloveu 23,787
zxcvbnm 20,362

These passwords would be abysmal choices if the websites had been storing them in a secure, encrypted format. However, they apparently weren’t even doing that – storing the passwords in plaintext, meaning they were instantly readable by the human eye as easily as you are reading this password right now.

Of course, it’s possible that Cupid Media has mended its ways and now stores its dating customers’ passwords in a more secure fashion. Let’s hope so.

But in the meantime, if you are a user of any of these websites, you need to ensure that you are not using the same password on any other website, and always use a password that is hard to guess and tricky to crack.

The truth is that you should never use the same password on multiple websites.

If you do make the mistake of reusing passwords, you are running the risk of having your password compromised in one place (perhaps via a hack like this, a phishing attack or keylogging spyware) and then hackers using it to unlock your other online accounts.

If you find passwords a burden – simply use password management software like LastPass, 1Password, and KeePass.

Read more about the Cupid Media hack on the Krebs on Security website.

Tags: , , , , , , , , , ,


, , , , , , , , , ,

4 Responses

  1. Thouhedul Islam SUCHI 1 November 20, 2013 at 2:55 pm #

    what a degrees for that kind of programmer who can not
    ensure the security for their users information. They should more
    concern about users data.

  2. Chas 2 November 20, 2013 at 10:17 pm #

    Brushing security breach under carpet?
    Like Santander are currently doing you mean?
    Surely not?

    • Sant Customer 2 November 27, 2013 at 12:23 pm #

      Yeah, people are even writing about it on Santander's facebook now (see Yvonne Law's post from Nov 16 at https://www.facebook.com/santanderuk?fref=ts&filter=2 )

      My own (uniquely given to Santander) email address is now receiving the generic "we tried to deliver a parcel, please open this .zip file" trojans rather than the message being specific to financial instituions. Maybe this is a sign that the original perps have now sold their stash of email addresses to lower level crims?

      • Colin Law 1 March 6, 2014 at 2:45 pm #

        @Sant Customer, I am Yvonne's husband, we got nowhere with our complaint, can I ask if you made a formal complaint and if so whether you got anywhere? We are contemplating contacting the media about it.

Leave a Reply

XSLT by CarLake