{"id":2868,"date":"2013-11-15T10:33:51","date_gmt":"2013-11-15T05:03:51","guid":{"rendered":"https:\/\/www.qadit.com\/blog\/?p=2868"},"modified":"2013-12-06T10:43:14","modified_gmt":"2013-12-06T05:13:14","slug":"cupid-media-hack-exposed-42m-passwords","status":"publish","type":"post","link":"https:\/\/qadit.com\/blog\/cupid-media-hack-exposed-42m-passwords\/","title":{"rendered":"Cupid Media Hack Exposed 42M Passwords"},"content":{"rendered":"<p>An intrusion at online dating service Cupid Media earlier this year exposed more than 42 million consumer records, including names, email addresses, unencrypted passwords and birthdays, according to information obtained by KrebsOnSecurity.<br \/>\n<!--more--><br \/>\nThe data stolen from Southport, Australia-based niche dating service Cupid Media was found on the same server where hackers had amassed tens of millions of records stolen from Adobe, PR Newswire and the National White Collar Crime Center (NW3C), among others.<br \/>\n&nbsp;<br \/>\nThe purloined database contains more than 42 million entries in the format shown in the redacted image below. I reached out to Cupid Media on Nov. 8. Six days later, I heard back from Andrew Bolton, the company\u2019s managing director. Bolton said the information appears to be related to a breach that occurred in January 2013.<br \/>\n&nbsp;<br \/>\n\u201cIn January we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts,\u201d Bolton said. \u201cWe are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification.\u201d<br \/>\n&nbsp;<br \/>\nI couldn\u2019t find any public record \u2014 in the media or elsewhere \u2014 about this January 2013 breach. When I told Bolton that all of the Cupid Media users I\u2019d reached confirmed their plain text passwords as listed in the purloined directory, he suggested I might have \u201cillegally accessed\u201d some of the company\u2019s member accounts. He also noted that \u201ca large portion of the records located in the affected table related to old, inactive or deleted accounts.\u201d<br \/>\n&nbsp;<br \/>\n\u201cThe number of active members affected by this event is considerably less than the 42 million that you have previously quoted,\u201d Bolton said.<br \/>\n&nbsp;<br \/>\nThe company\u2019s Web site and Twitter feed state that Cupid Media has more than 30 million customers around the globe. Unfortunately, many companies have a habit of storing data on customers who are no longer active.<br \/>\n&nbsp;<br \/>\nAlex Holden, chief information security officer at Hold Security LLC, said Bolton\u2019s statement is reminiscent of the stance that software giant Adobe Systems Inc. took in the wake of its recently-disclosed breach. In that case, a database containing the email and password information on more than 150 million people was stolen and leaked online, but Adobe says it has so far only found it necessary to alert the 38 million active users in the leaked database.<br \/>\n&nbsp;<br \/>\n\u201cAdobe said they have 38 million users and they lost information on 150 million,\u201d Holden said. \u201cIt comes to down to the definition of users versus individuals who entrusted their data to a service.\u201d<br \/>\n&nbsp;<br \/>\nThe danger with such a large breach is that far too many people reuse the same passwords at multiple sites, meaning a compromise like this can give thieves instant access to tens of thousands of email inboxes and other sensitive sites tied to a user\u2019s email address. Indeed, Facebook has been mining the leaked Adobe data for information about any of its own users who might have reused their Adobe password and inadvertently exposed their Facebook accounts to hijacking as a result of the breach.<br \/>\n&nbsp;<br \/>\nHolden added that this database would be a gold mine for spammers, noting that Cupid\u2019s customers are probably more primed than most to be responsive to the types of products typically advertised in spam (think male enhancement pills, dating services and diet pills).<br \/>\n&nbsp;<br \/>\nBolton adopted a softer tone in the second half of his email, indicating that the company may not have understood the full scope of the intrusion.<br \/>\n&nbsp;<br \/>\n\u201cSince you have now provided additional information we now have a clearer picture of what transpired back in January,\u201d Bolton wrote. \u201cWe are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification.\u201d<br \/>\n&nbsp;<br \/>\nBolton continued:<br \/>\n&nbsp;<br \/>\nSubsequently to the events of January we hired external consultants and implemented a range of security improvements which include hashing and salting of our passwords. We have also implemented the need for consumers to use stronger passwords and made various other improvements.<br \/>\n&nbsp;<br \/>\nWe would like to thank you for bringing this issue to our attention and I can confirm that we are committed to investigate this matter further and make any additional improvements still required. Protecting our customer\u2019s privacy and data is important to us and we will continue to make additional investments in improved security for our members. We sincerely apologize for the inconvenience this has caused our members.<br \/>\n&nbsp;<br \/>\nIt is entirely likely that the records I have seen are from the January breach, and that the company no longer stores its users\u2019 information and passwords in plain text. At least Cupid Media doesn\u2019t send your password in plain text when you request a password reset, like far too many other companies do. It\u2019s also remarkable that a company with this many users would not have seen this coming. Back in Feb. 2011, I broke a story that received considerable media attention; it was about a hack that exposed some 30 million customer records at Plenty Of Fish (pof.com), an online dating service that also admitted to storing its users\u2019 passwords in plaintext.<br \/>\n&nbsp;<br \/>\nIn any case, since I didn\u2019t have to crack any of the passwords, I thought it might be useful to have a look at the top passwords used by Cupid Media customers. It seems that many Cupid users did not place much value in their accounts when picking passwords, because a huge percentage of them chose downright awful passwords. By my count, more than 10 percent of Cupid\u2019s users chose one of these 10 passwords:<br \/>\n&nbsp;<br \/>\n<a href=\"https:\/\/www.qadit.com\/blog\/wp-content\/cupidtop10.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.qadit.com\/blog\/wp-content\/cupidtop10.png\" alt=\"\" width=\"244\" height=\"245\" class=\"aligncenter size-full wp-image-2869\" srcset=\"https:\/\/qadit.com\/blog\/wp-content\/uploads\/cupidtop10.png 244w, https:\/\/qadit.com\/blog\/wp-content\/uploads\/cupidtop10-150x150.png 150w\" sizes=\"auto, (max-width: 244px) 100vw, 244px\" \/><\/a><br \/>\n&nbsp;<br \/>\nThe top 10 non-numeric passwords are probably typical for a dating site, but still horrible nonetheless:<br \/>\n&nbsp;<br \/>\n<a href=\"https:\/\/www.qadit.com\/blog\/wp-content\/cupidnonn.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.qadit.com\/blog\/wp-content\/cupidnonn.png\" alt=\"\" width=\"244\" height=\"244\" class=\"aligncenter size-full wp-image-2870\" srcset=\"https:\/\/qadit.com\/blog\/wp-content\/uploads\/cupidnonn.png 244w, https:\/\/qadit.com\/blog\/wp-content\/uploads\/cupidnonn-150x150.png 150w\" sizes=\"auto, (max-width: 244px) 100vw, 244px\" \/><\/a><\/p>\n<p>Original Article: https:\/\/krebsonsecurity.com\/2013\/11\/cupid-media-hack-exposed-42m-passwords\/<\/p>\n","protected":false},"excerpt":{"rendered":"<p>An intrusion at online dating service Cupid Media earlier this year exposed more than 42 million consumer records, including names, email addresses, unencrypted passwords and birthdays, according to information obtained by KrebsOnSecurity.<\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[7],"tags":[],"class_list":["post-2868","post","type-post","status-publish","format-standard","hentry","category-frauds"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9AH7Q-Kg","_links":{"self":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/2868","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/comments?post=2868"}],"version-history":[{"count":0,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/2868\/revisions"}],"wp:attachment":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/media?parent=2868"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/categories?post=2868"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/tags?post=2868"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}