More than 42 million plaintext passwords hacked out of online dating site Cupid Media have been found on the same server holding tens of millions of records stolen from Adobe, PR Newswire and the National White Collar Crime Center (NW3C), according to a report by security journalist Brian Krebs.
Cupid Media, which describes itself as a niche online dating network that offers over 30 dating sites specialising in Asian dating, Latin dating, Filipino dating, and military dating, is based in Southport, Australia.
Krebs contacted Cupid Media on 8 November after seeing the 42 million entries – entries which, as shown in an image on the Krebsonsecurity site, show unencrypted passwords stored in plain text alongside customer passwords that the journalist has redacted.
Cupid Media subsequently confirmed that the stolen data appears to be related to a breach that occurred in January 2013.
Andrew Bolton, the company’s managing director, told Krebs that the company is currently making sure that all affected users have been notified and have had their passwords reset:
In January we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts. ... We are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification.
Bolton downplayed the 42 million number, saying that the affected table held “a large portion” of records relating to old, inactive or deleted accounts:
The number of active members affected by this event is considerably less than the 42 million that you have previously quoted.
Cupid Media’s quibble on the size of the breached data set is reminiscent of that which Adobe exhibited with its own record-breaking breach.
Adobe, as Krebs reminds us, found it necessary to alert only 38 million active users, though the number of stolen emails and passwords reached the lofty heights of 150 million records.
More relevant than arguments about data-set size is the fact that Cupid Media claims to have learned from the breach and is now seeing the light as far as encryption, hashing and salting goes, as Bolton told Krebs:
Subsequently to the events of January we hired external consultants and implemented a range of security improvements which include hashing and salting of our passwords. We have also implemented the need for consumers to use stronger passwords and made various other improvements.
Krebs notes that it could well be that the exposed customer records are from the January breach, and that the company no longer stores its users’ information and passwords in plain text.
Whether those email addresses and passwords are reused on other sites is another matter entirely.
Chad Greene, a member of Facebook’s security team, said in a comment on Krebs’s piece that Facebook’s now running the plain-text Cupid passwords through the same check it did for Adobe’s breached passwords – i.e., checking to see if Facebook users reuse their Cupid Media email/password combination as credentials for logging onto Facebook:
Chad
November 20, 2013 at 10:07 am
I work on the security team at Facebook and can confirm that we are checking this list of credentials for matches and will enroll all affected users into a remediation flow to change their password on Facebook.
Facebook has confirmed that it is, in fact, doing the same check this time around.
It’s worth noting, again, that Facebook doesn’t have to do anything nefarious to know what its users passwords are.
Given that the Cupid Media data set held email addresses and plaintext passwords, all the company has to do is set up an automatic login to Facebook using the identical passwords.
If the security team gets account access, bingo! It’s time for a chat about password reuse.
It’s an extremely safe bet to say that we can expect plenty more “we have stuck your account in a closet” messages from Facebook with regards to the Cupid Media data set, given the head-bangers that people used for passwords.
To wit: “123456” was the password for 1,902,801 Cupid Media records.
And as one commenter on Krebs’s story noted, the password “aaaaaa” was employed in 30,273 customer records.
JCitizen’s comment:
That is probably what I would also say if I discovered this breach and were a former customer! (add exclamation point) 😀
Amen, citizen!
Image of broken heart courtesy of Shutterstock.
if there only passwords then it’s not so bad. People who complains about plain passwords are a bit stupid, there is no information in password, name, address, phone number is much more dangerous then password (and you should different passwords for different type of sites, like you use different keys to different type of buildings). If someone breaks in and stole your email, name and address you are in more real trouble then some plain password.
Once you have a password in plain text, and a username or e-mail address, you’re pretty much good-2-go. You can write a simple script which will attempt to login to your victims webmail accounts, social networking accounts, etc. Your script can then download large quantities of private data on each of your victims; e-mails, contact lists, etc… If that’s not what Cupid Media wanted the passwords in plain text for, then what the passwords in plain text for?
Storing the passwords in plaintext is a naive way to do it, but plenty of programmers think they can write their own version of this or that, without doing any research, and it “works fine”. Works Fine = you can log in with your password and it lets you in. Thorough testing = try with a wrong password, it should NOT let you in.
Even more common, managers (especially non-programmer managers) push programmers to get stuff done quickly, thinking that any problems can be fixed later. But of course, the quick-and-dirty design isn’t easy to fix later after your databases are all set up and working and everything depends on the quick-and-dirty design. But, hey, it “works fine” so what can possibly go wrong? Security is ignored until there’s a breach, like this.
I, personally, have been fired for taking the time to do a job right. Multiple times. I’ve seen the company PayPal password tossed around over email and checked into source control along with the other sources; available to anybody who’s a programmer. Breathless startups do this as it’s assumed to be better to get up and running in the short term. (Except the short term never ends.)
You can’t delete your account. If you could then how can the passwords relate to deleted accounts as stated by Cupid Media’s CEO Andrew Bolton?
This is 100% false and he knows it.
Cupid Media have also been incorrectly billing upgrades for 3 months Platinum membership when members are only updating to 1 months Gold membership.
This is built into their payment system on their website and a scam they’re using to get more money from membership. Once you pay, there’s no way to get the error reversed and they can also re-bill you every 3 months which is disclosed in the fine print on the receipt.