27 million online dating passwords allegedly sold on the dark web

Hacker says he removed four million fake profiles before selling the data to others.

David bisson
David Bisson
@
@DMBisson

Mate1

A hacker claims to have recently sold 27 million passwords belonging to users of an online dating website on a dark web marketplace.

News broke earlier this week about how an unnamed hacker allegedly put tens of millions of passwords up for sale on the underground forum Hell.

Joseph Cox of Motherboard, reports that the passwords are believed to have belonged to members of Mate1, an online dating website with an estimated membership base of 36.5 million users.

Sign up to our free newsletter.
Security news, advice, and tips.

In a conversation with Cox the anonymous hacker described how he had control over Mate1’s systems:

“Their server was compromised and the MySQL database was dumped. I had shell/command access to their server.”

Motherboard was able to obtain approximately 500 of the leaked passwords. It has verified that 498 of those credentials linked back to Mate1 accounts.

However, spelling errors and the absence of an email verification system by which a Mate1 user must click a link to activate their account might mean that many of the compromised email accounts either belong to people who actually do not own them or do not function properly.

Interestingly, there are similarities here with what was found at Ashley Madison – which also failed to do any kind of email verification for new accounts. And, like Ashley Madison (which was allegedly riddled with fembots to lure male users into paying for an account) there appear to have been millions of fake accounts on Mate1 too.

The hacker claimed to have originally obtained 40 million accounts, but said they had “pruned out the bot logins.”

“They all had a common password pattern,” they said.

Underground forum Hell

Although the hacker originally offered the dating site’s passwords for sale on the Hell forum for 20 Bitcoin (approximately $8,700), it is unclear if the data actually sold for that amount.

HeartThis leak illustrates that password security should be just as important to web dating services as it should to other online platforms.

Exposed passwords can not only ruin people’s personal lives, as they did in the Ashley Madison fiasco last year, but they can also provide attackers with a means to compromise additional user information, such as payment card details tied to a dating profile or other online accounts protected by the same password.

Clearly, Mate1 and others should invest in technologies that better protect (i.e. use strong encryption measures for) users’ passwords. In the meantime, ordinary users should create a strong, unique password for each of their online accounts and should NEVER reuse passwords across multiple logins.

This will help reduce the risk of exposure if (or more likely when) one of their accounts is compromised.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.