Hacked dating website compromises 42 million passwords


November 26, 2013

Online dating website Cupid Media recently announced it had been hacked by an outside group that accessed the domain and stole 42 million of its users' passwords.

Experts are saying it could be one of the worst password security breaches in history, but what may be the most shocking is the the protection measures – or lack thereof – that were found on the website. It's been discovered that the millions of passwords on the website were hardly protected, and the company stored them in plaintext format.

This is a serious flaw that resulted in millions of names, email addresses, unencrypted passwords and birthdays being leaked onto the internet. When the treasure trove of stolen data was discovered, it was found on the same server where information recently stolen from Adobe had been stored.

The breach, uncovered by KrebsOnSecurity, occurred in January 2013. After discovering it, Brian Krebs reached out to the company to better understand what happened.

"In January we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts," said Cupid Media Managing Director Andrew Bolton.

"We are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification."

Australian government weighs in

Such a large security breach wouldn't go unnoticed by Australian Privacy Commissioner Timothy Pilgrim, who said the Office of the Australian Information is currently in talks with Cupid Media regarding the issue.

As it stands, there is no record of the breach prior to Brian Krebs' investigation. Mr Bolton has argued with Mr Krebs that much of the data that was stolen belonged to "old, inactive or deleted accounts", and that the actual number of "active members affected by this event is considerably less than [Krebs] previously quoted."

This response bears a resemblance to the recent Adobe security breach, when the company said the bulk of the stolen information wasn't critical, despite experts saying otherwise.

Whether the information is critical or not may be beside the point, though. Cupid Media has shown the world that it did not perform any adequate penetration testing, much less have any security audit in place, that would protect the personal information of its millions of users.

Leave a Reply

Your email address will not be published. Required fields are marked *