42m Passwords Exposed In Cupid Media Hack

Cupid

The information of 42m people, including email addresses and passwords, were stolen from niche dating site owner Cupid Media by hackers this year.

Cupid Media are an Australian-based company who own over 30 niche dating sites, including BrazilianCupid.com, MilitaryCupid.com and AussieCupid.com.

The hack was exposed by Brian Krebs, a security researcher, who found the information on the same servers as hacked data from Adobe, PR Newswire and National White Collar Crime Centre.

The information was all plaintext, meaning no encryption was in place, and included names, email addresses, DOBs and passwords of around 42m users from around the world.

Krebs contacted Cupid Media, and their Managing Director Andrew Bolton admitted that this data came from a breach in their security in January.

Bolton said: “In January we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts.

“We are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification.”

Bolton also added: “The number of active members affected by this event is considerably less than the 42 million that you have previously quoted.”

This stance is similar to that of Adobe, who following their leak said the numbers reported were far greater than the number of “active users” actually affected.

Adobe were hacked in early November with the data of 150m users said to be affected, however they maintained that it was 38m – the others coming from inactive or test accounts.

However, as Krebs says, although these users might not be “active”, many people reuse the same information on other sites, so a breach on one site could compromise the security of many others.

After the Adobe hack, Facebook asked millions of users who had an Adobe account to change their password.

Bolton contacted Krebs saying that since the disclosure, they have made security improvements including hashing and salting of their passwords, and stressed to users the need for stronger passwords.

This may be wise, as Krebs found that 2m Cupid Media users chose 123456 as their password, 1.2m chose 111111, and thousands more opted for iloveyou, ?????? and qwerty.

Brian Krebs also exposed the hack of 30m Plenty of Fish users in 2011.

Visit his site here.