In what must rate as one of the worst password security breaches ever, it has been discovered that the names, addresses, dates of birth and unencrypted passwords of over 40 million online daters have been stolen by hackers.
Yes, that’s right, the passwords were not protected at all. They were stored by the hacked company in *plaintext* format. A disaster waiting to happen…
Security blogger Brian Krebs has reported that an intrusion at online dating firm Cupid Media earlier this year resulted in hackers getting away with the haul of valuable data earlier this year. It has since been discovered on a web server, alongside data stolen in other hacks, including a recent attack against Adobe.
Cupid Media is a firm based in Queensland, Australia, that runs a wide variety of niche dating websites including AsianDating.com, ChristianCupid.com, SingleParentLove.com, GayCupid.com, and ThaiLoveLinks.com amongst many others.
In conversation with Krebs, Cupid Media managing director Andrew Bolton said that the database included details of inactive users, as well as current customers, and was probably related to a security breach that occurred at the company in January 2013.
Andrew Bolton told Brian Krebs:
“In January we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts. We are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification.”
What’s alarming is that there doesn’t appear to have been any media reports confirming that a security incident involving customer data occurred at Cupid Media in January 2013. That is very surprising if such a large number of users were put at risk.
Did customers not get informed? Did the firm sweep it under the carpet?
Right now, the true facts remain unclear.
However, what is very clear is that many of the passwords exposed in this latest security breach are woefully bad choices by Cupid Media’s users.
Here is a list of the ten most commonly used passwords, according to the Cupid Media customer database seen by Brian Krebs:
Password | Number of times used |
123456 | 1,902,801 |
111111 | 1,212,235 |
123456789 | 574,914 |
1234567 | 173,235 |
12345678 | 140,734 |
000000 | 107,996 |
iloveyou | 91,269 |
1234567890 | 81,775 |
?????? | 79,046 |
123123 | 79,013 |
Pretty pitiful. And the same can be said for the top non-numeric passwords:
Password | Number of times used |
iloveyou | 91,269 |
lovely | 54,045 |
qwerty | 40,023 |
password | 37,241 |
azerty | 33,579 |
loveme | 32,645 |
aaaaaa | 30,273 |
mylove | 28,266 |
iloveu | 23,787 |
zxcvbnm | 20,362 |
These passwords would be abysmal choices if the websites had been storing them in a secure, encrypted format. However, they apparently weren’t even doing that – storing the passwords in plaintext, meaning they were instantly readable by the human eye as easily as you are reading this password right now.
Of course, it’s possible that Cupid Media has mended its ways and now stores its dating customers’ passwords in a more secure fashion. Let’s hope so.
But in the meantime, if you are a user of any of these websites, you need to ensure that you are not using the same password on any other website, and always use a password that is hard to guess and tricky to crack.
The truth is that you should never use the same password on multiple websites.
If you do make the mistake of reusing passwords, you are running the risk of having your password compromised in one place (perhaps via a hack like this, a phishing attack or keylogging spyware) and then hackers using it to unlock your other online accounts.
If you find passwords a burden – simply use password management software like Bitwarden, 1Password, and KeePass.
Read more about the Cupid Media hack on the Krebs on Security website.
what a degrees for that kind of programmer who can not
ensure the security for their users information. They should more
concern about users data.
Brushing security breach under carpet?
Like Santander are currently doing you mean?
Surely not?
Yeah, people are even writing about it on Santander's facebook now (see Yvonne Law's post from Nov 16 at https://www.facebook.com/santanderuk?fref=ts&filter=2 )
My own (uniquely given to Santander) email address is now receiving the generic "we tried to deliver a parcel, please open this .zip file" trojans rather than the message being specific to financial instituions. Maybe this is a sign that the original perps have now sold their stash of email addresses to lower level crims?
@Sant Customer, I am Yvonne's husband, we got nowhere with our complaint, can I ask if you made a formal complaint and if so whether you got anywhere? We are contemplating contacting the media about it.