Cupid Media hack exposed 42m online dating passwords
Niche online dating provider admits that January breach exposed unencrypted user information – including dates of birth
Alex Hern
The Guardian, Wednesday 20 November 2013 13.11 GMT
Some of Cupid Media's sites. Photograph: /Screenshot
Up to 42 million peoples' unencrypted names, dates of birth, email addresses and passwords have been stolen by hackers who broke into a company that runs niche online dating sites.
Cupid Media, which runs niche online dating sites such as UkraineDate.com, MilitaryCupid.com and IranianSinglesConnection.com, was hacked in January but did not admit to the break-in until it was exposed by security researcher Brian Krebs.
Cupid Media is not connected with OK Cupid, an American dating site.
The data stolen from Cupid Media, which runs 35 dating sites altogether, was discovered by Krebs on the same server that housed user information stolen from Adobe, who disclosed their breach earlier in November. But unlike Adobe, which used some encryption on the data, Cupid Media stored user data in plain text. As well as passwords, that includes full names, email addresses, and dates of birth.
Cupid's managing director Andrew Bolton admitted to Krebs that the breach had occurred in January 2013. At the time, "we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts," Bolton said. “We are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification."
However like Adobe, Cupid has only notified active users who are affected by the data breach.
In the case of the software giant, there were more than 100m inactive, disabled and test accounts affected, as well as the 38m to which it admitted at the time.
Bolton told Krebs that "the number of active members affected by this event is considerably less than the 42 million that you have previously quoted". He also confirmed that, since the breach, the company has started encrypting passwords using techniques called salting and hashing – an industry-standard safety measure which renders most leaks harmless.
Jason Hart of Safenet commented: "The true impact of the breach is likely to be huge. Yet, if this data had been encrypted in the first place then all hackers would have found is scrambled information, rendering the theft pointless."
He added: "Many companies shy away from encryption due to fear that it will be either too expensive or complicated. The reality is that it doesn’t have to be either. With hacking attempts becoming almost a daily occurrence, it’s clear that being breached is not a question of 'if' but 'when'. Although their motives may be different, a hacker’s ultimate goal is to gain access to sensitive data, so companies need to ensure they are taking the necessary precautions."
He suggested that too many security departments are "holding on to the past" in their security strategy by trying to prevent breaches rather than safeguarding the data.
As with other breaches, analysis of the leaked data provides some interesting information. Well over three quarters of the users had registered with either a Hotmail, Gmail or Yahoo email address, but some addresses hint at more serious security concerns. More than 11,000 had used a US military email address to register, and around 10,000 had registered with a US government address.
Of the leaked passwords, almost two million picked "123456", and over 1.2 million chose "111111". "iloveyou" and "lovely" both beat out "password", and while 40,000 chose "qwerty", 20,000 chose the bottom row of the keyboard instead - yielding the password "zxcvbnm".