More than 42 million plaintext passwords hacked out of online dating site Cupid Media have been found on the same server holding tens of millions of records stolen from Adobe, PR Newswire and the National White Collar Crime Center (NW3C), according to a report by security journalist Brian Krebs.
Cupid Media, which describes itself as a niche online dating network that offers over 30 dating sites specialising in Asian dating, Latin dating, Filipino dating, and military dating, is based in Southport, Australia.
Krebs contacted Cupid Media on 8 November after seeing the 42 million entries - entries which, as shown in an image on the Krebsonsecurity site, show unencrypted passwords stored in plain text alongside customer passwords that the journalist has redacted.
Cupid Media subsequently confirmed that the stolen data appears to be related to a breach that occurred in January 2013.
Andrew Bolton, the company’s managing director, told Krebs that the company is currently making sure that all affected users have been notified and have had their passwords reset:
In January we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts. ... We are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification.
Bolton downplayed the 42 million number, saying that the affected table held “a large portion" of records relating to old, inactive or deleted accounts:
The number of active members affected by this event is considerably less than the 42 million that you have previously quoted.
Cupid Media's quibble on the size of the breached data set is reminiscent of that which Adobe exhibited with its own record-breaking breach.
Adobe, as Krebs reminds us, found it necessary to alert only 38 million active users, though the number of stolen emails and passwords reached the lofty heights of 150 million records.
More relevant than arguments about data-set size is the fact that Cupid Media claims to have learned from the breach and is now seeing the light as far as encryption, hashing and salting goes, as Bolton told Krebs:
Subsequently to the events of January we hired external consultants and implemented a range of security improvements which include hashing and salting of our passwords. We have also implemented the need for consumers to use stronger passwords and made various other improvements.
Krebs notes that it could well be that the exposed customer records are from the January breach, and that the company no longer stores its users’ information and passwords in plain text.
Whether those email addresses and passwords are reused on other sites is another matter entirely.
Chad Greene, a member of Facebook's security team, said in a comment on Krebs's piece that Facebook's now running the plain-text Cupid passwords through the same check it did for Adobe's breached passwords - i.e., checking to see if Facebook users reuse their Cupid Media email/password combination as credentials for logging onto Facebook:
November 20, 2013 at 10:07 am
I work on the security team at Facebook and can confirm that we are checking this list of credentials for matches and will enroll all affected users into a remediation flow to change their password on Facebook.
Facebook has confirmed that it is, in fact, doing the same check this time around.
It's worth noting, again, that Facebook doesn't have to do anything nefarious to know what its users passwords are.
Given that the Cupid Media data set held email addresses and plaintext passwords, all the company has to do is set up an automatic login to Facebook using the identical passwords.
If the security team gets account access, bingo! It's time for a chat about password reuse.
It's an extremely safe bet to say that we can expect plenty more "we have stuck your account in a closet" messages from Facebook with regards to the Cupid Media data set, given the head-bangers that people used for passwords.
To wit: "123456" was the password for 1,902,801 Cupid Media records.
And as one commenter on Krebs's story noted, the password "aaaaaa" was employed in 30,273 customer records.
That is probably what I would also say if I discovered this breach and were a former customer! (add exclamation point) :D