42 million unencrypted passwords leaked in dating site hack

More than 42 million consumer records - including names, email addresses and unencrypted plain text passwords - were exposed when online dating company Cupid Media was hacked earlier this year, according to KrebsOnSecurity.

Cupid Media, an Australian company, operates more than 30 dating sites based on niches including ethnic and religious groups. Its sites include KenyanCupid.com, IranianSinglesConnection.com and MilitaryCupid.com.

According to Brian Krebs, writer at KrebsOnSecurity, the data stolen from Cupid Media was found on the same server where hackers stashed “tens of millions” of records stolen from Adobe, PR Newswire and others.

Krebs apparently contacted some of the 42 million-odd Cupid Media users whose data was revealed in the breach and confirmed that their passwords were indeed what was listed on the server.

Andrew Bolton, Cupid Media’s MD, told Krebs that the data found on the server appears to be related to a breach that happened in January this year.

“In January, we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts,” Bolton said.

Krebs noted in his article that he “couldn’t find any public record - in the media or elsewhere - about this January 2013 breach”.

Bolton told Krebs that “The number of active members affected by this event is considerably less than the 42 million that you have previously quoted,” and that “a large portion of the records located in the affected table related to old, inactive or deleted accounts”.

According to Cupid Media’s website, the company has more than 30 million customers across the globe.

A leak of plain text passwords like this is particularly dangerous; if a Cupid Media customer created an account on any other website using their leaked password alongside their leaked email, it would be trivial for a third party to gain access to these other accounts.

56 of the accounts leaked in the attack belonged to employees at the US’s Department of Homeland Security, according to Krebs’ website.

Bolton wrote to Krebs: “Since you have now provided additional information we now have a clearer picture of what transpired back in January.

“We are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification,” Bolton wrote.

Bolton told Krebs that following the January breach, Cupid Media “hired external consultants and implemented a range of security improvements which include hashing and salting of our passwords”.

Krebs said that it’s “remarkable that a company with this many users would not have seen this coming. Back in Feb 2011, I broke a story that received considerable media attention; it was about a hack that exposed some 30 million customer records at Plenty Of Fish (pof.com), an online dating service that also admitted to storing its users’ passwords in plaintext”.

Krebs said that based on the leaked data, a “huge percentage” of Cupid Media’s customers “chose downright awful passwords”.

These included “123456” (1.9 million users), “111111” (1.2 million), “iloveyou” (91,269), “qwerty” (40,023) and “password” (37,241).

Timothy Pilgrim, Australian Privacy Commissioner, reportedly said the Office of the Australian Information Commissioner is aware of the incident and it would be contacting Cupid Media for further information.