Dating-Site Data Breach Dumps 42 Million Plain-Text Passwords

Up to 42 million people worldwide have had their names, email addresses, passwords and dates of birth exposed to online criminals, the result of a data breach in January at Australian online-dating company Cupid Media.

There have been bigger data breaches, but perhaps none worse. Every one of the 42 million Cupid Media passwords was stored in unencrypted plain text.

Because most people reuse passwords, many of those stolen passwords will unlock user accounts at other online services. (Cupid Media has no link to New York-based online-dating service OK Cupid.)

Of those 42 million Cupid Media compromised accounts, 1.9 million, or 4.5 percent of the total, used the password "123456"; 1.2 million used "111111." Yet since all the passwords were unencrypted, even users who used strong passwords are now at high risk of identity theft and account hijacking.

In a posting today (Nov. 20), security blogger Brian Krebs revealed he had found the Cupid Media data buried on the same cybercriminal server that had stored data stolen from Adobe Systems, PR Newswire and the National White Collar Crime Center. (The 150 million stolen Adobe user records had such poor password encryption that Facebook decided to alert its own users who also appeared in the Adobe data set.)

MORE: Adobe Data Breach: How to Protect Yourself

Andrew Bolton, managing director of Cupid Media, told Krebs that his company had suffered a data breach in January 2013.

At that time, Bolton told Krebs, Cupid Media took "what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts."

However, as Krebs noted, "I couldn't find any public record — in the media or elsewhere — about this January 2013 breach."

Dating sites for all tastes

Cupid Media, headquartered in a gleaming office tower in Southport, Queensland, Australia, operates more than 30 online dating sites around the world catering to different regions, lifestyles and tastes.

Among its sites are AsianDating.com, BBWCupid.com, ChristianCupid.com, GayCupid.com, InterracialCupid.com, MilitaryCupid.com, Muslima.com, PinkCupid.com, RussianCupid.com, SingleParentLove.com and UkraineDate.com.

The full list of sites can be found on this Cupid Media page under the "Choose a site" drop-down menu. If you've ever registered on any of those sites, change your password immediately on that site and on any other sites on which you may have used the same password.

Krebs reached out to some of the individuals listed in the stolen Cupid Media records, and those who responded confirmed that Krebs indeed had their passwords.  (Krebs did not mention whether they'd been notified by Cupid Media.)

Bolton suggested that Krebs may have "illegally accessed" user records, but then outlined the company's long-term response.

"Subsequently to the events of January," Bolton told Krebs, "we hired external consultants and implemented a range of security improvements, which include hashing and salting of our passwords."

How to properly store passwords

Hashing and salting are the minimum security precautions to be taken when storing user passwords. Hashing runs passwords through a complex, irreversible mathematical algorithm that results in "hashes," long numerical strings of uniform character length.

Salting adds a set of secret characters to each password before hashing, so that one site's hash of a given password won't match another site's.

In most cases, websites that hash passwords store the hash, not the original password. To verify a user's password, a website runs a password through the hashing algorithm each time the user enters it, then matches the resulting hash to the stored hash generated when the user first registered that password.

However, all those computations and database lookups can be expensive and time-consuming. That's why some companies cut corners and don't hash passwords. It's simply easier not to — until there's a data breach.

"It is entirely likely," Krebs wrote about Cupid Media, "that the records I have seen are from the January breach, and that the company no longer stores its users' information and passwords in plain text."

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.