Skip to main content

Dating-Site Data Breach Dumps 42 Million Plain-Text Passwords

Up to 42 million people worldwide have had their names, email addresses, passwords and dates of birth exposed to online criminals, the result of a data breach in January at Australian online-dating company Cupid Media.

There have been bigger data breaches, but perhaps none worse. Every one of the 42 million Cupid Media passwords was stored in unencrypted plain text.

Because most people reuse passwords, many of those stolen passwords will unlock user accounts at other online services. (Cupid Media has no link to New York-based online-dating service OK Cupid.)

Of those 42 million Cupid Media compromised accounts, 1.9 million, or 4.5 percent of the total, used the password "123456"; 1.2 million used "111111." Yet since all the passwords were unencrypted, even users who used strong passwords are now at high risk of identity theft and account hijacking.

In a posting today (Nov. 20), security blogger Brian Krebs revealed he had found the Cupid Media data buried on the same cybercriminal server that had stored data stolen from Adobe Systems, PR Newswire and the National White Collar Crime Center. (The 150 million stolen Adobe user records had such poor password encryption that Facebook decided to alert its own users who also appeared in the Adobe data set.)

MORE: Adobe Data Breach: How to Protect Yourself

Andrew Bolton, managing director of Cupid Media, told Krebs that his company had suffered a data breach in January 2013.

At that time, Bolton told Krebs, Cupid Media took "what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts."

However, as Krebs noted, "I couldn't find any public record — in the media or elsewhere — about this January 2013 breach."

Dating sites for all tastes

Cupid Media, headquartered in a gleaming office tower in Southport, Queensland, Australia, operates more than 30 online dating sites around the world catering to different regions, lifestyles and tastes.

Among its sites are AsianDating.com, BBWCupid.com, ChristianCupid.com, GayCupid.com, InterracialCupid.com, MilitaryCupid.com, Muslima.com, PinkCupid.com, RussianCupid.com, SingleParentLove.com and UkraineDate.com.

The full list of sites can be found on this Cupid Media page under the "Choose a site" drop-down menu. If you've ever registered on any of those sites, change your password immediately on that site and on any other sites on which you may have used the same password.

Krebs reached out to some of the individuals listed in the stolen Cupid Media records, and those who responded confirmed that Krebs indeed had their passwords.  (Krebs did not mention whether they'd been notified by Cupid Media.)

Bolton suggested that Krebs may have "illegally accessed" user records, but then outlined the company's long-term response.

"Subsequently to the events of January," Bolton told Krebs, "we hired external consultants and implemented a range of security improvements, which include hashing and salting of our passwords."

How to properly store passwords

Hashing and salting are the minimum security precautions to be taken when storing user passwords. Hashing runs passwords through a complex, irreversible mathematical algorithm that results in "hashes," long numerical strings of uniform character length.

Salting adds a set of secret characters to each password before hashing, so that one site's hash of a given password won't match another site's.

In most cases, websites that hash passwords store the hash, not the original password. To verify a user's password, a website runs a password through the hashing algorithm each time the user enters it, then matches the resulting hash to the stored hash generated when the user first registered that password.

However, all those computations and database lookups can be expensive and time-consuming. That's why some companies cut corners and don't hash passwords. It's simply easier not to — until there's a data breach.

"It is entirely likely," Krebs wrote about Cupid Media, "that the records I have seen are from the January breach, and that the company no longer stores its users' information and passwords in plain text."

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

  • killerclick
    Tsk tsk Tom's. Salts should not be secret and are not supposed to be sitewide, but unique to each username.
    Reply
  • TeraMedia
    I have to think that the reason sites don't employ reasonable password encryption has nothing to do with computational cost, and everything to do with poor software design. There is far more computational cost introduced by the encryption and decryption required for SSL traffic than there is for the once-per-session hashing of a user-provided password to compare to the stored hash. But it it takes a bit of thought and effort to research, design and implement password security.

    On a different note, if any of those sites utilize credit card billing then I would be much more worried about a breach of that data.
    Reply
  • derekullo
    All the hacker wanted to do was find a mate. Now he has access to millions.
    Isn't this what the Cupid sites were all about anyway?
    The irony lol
    Reply
  • awesomedude911
    The Russian website was most likely full of sluts, and the other 5 million with passwords like 111111 most likely did that because they joined the site to see who was available. Even though he got 42 million passwords, what is the chance that he will be able to have the Time to mess with 1 to 5 thousand passwords?
    Reply
  • Darkk
    SALT can be anything that is added to the password before it gets hashed. Could be part of a user ID, birthdate, account #...etc or a special secret "key" that only few handful people knows. That is determined who wrote the password portion of the software.

    I for one have done this for a company and it's really easy to do. Just have to keep it close guarded secret and test it to make sure it works properly.
    Reply