12:46 PM

Cupid Concedes January Hack, 42 Million Passwords Stolen

Separately, Github forces some users to reset weak passwords following a rapid attack launched via 40,000 IP addresses.

Online dating service Cupid Media this week confirmed that it suffered a data breach in January 2013. The breach apparently led to the theft of 42 million users' names, email addresses, birthdates, and passwords, which the company stored in plaintext format.

The breach was discovered -- and publicly disclosed -- by security reporter Brian Krebs, who found the Cupid data sitting on a server that also stored stolen information from such organizations as PR Newswire, the National White Collar Crime Center (NW3C), and Adobe. While the trove of information stolen from Adobe appears to include details for 150 million people, to date the company has only notified 38 million customers that their personal details may have been compromised.

Unlike Adobe, which encrypted its stored passwords -- albeit in a weak and easy-to-crack manner -- Cupid Media failed to encrypt its passwords at all, instead storing them in plaintext format. As a result, the hackers behind the breach would have been immediately able to access not only Cupid accounts, but also any other online accounts that reused the same email address and password.

[Insiders may be a bigger threat to your company's data than hackers. See Cyber Insecurity: When Contractors Are Weak Link.]

Cupid said that after it discovered the breach, it notified some users and required them to reset their passwords. "In January we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts," Andrew Bolton, Cupid Media's managing director, told Krebs via email. "We are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification."

But Krebs reported that multiple Cupid users that he contacted -- whose account information was contained in the trove of stolen information -- still used the passwords that had been stolen by the attackers 10 months ago. Many users had also selected weak and easy-to-guess passwords. According to Krebs, for example, the most frequently used non-numeric password on the site -- employed by 91,269 people -- was "iloveyou."

Cupid Media's website says the company has 30 million active customers across North and South America, Europe, Asia Pacific, and the Middle East, and maintains 30 different dating sites. So if information on 42 million users was stolen, the company likely stored account information -- including passwords -- for both current and former users.

Should Cupid Media have issued a public data breach notification about the breach, back in January? The company is based in Australia, and while the country's Senate earlier this year debated a bill that would have created a mandatory data breach notification law, the bill ultimately failed in the face of strong business resistance.

A spokesman for Cupid Media didn't immediately respond to a request for comment -- sent outside Australian business hours -- about exactly how many current and former users were affected by the breach.

Online dating company users may feel more than a broken heart due to hack. (Source: Flickr user CarbonNYC)
Online dating company users may feel more than a broken heart due to hack.
(Source: Flickr user CarbonNYC)

But the company told Krebs that after discovering the January breach, it made a number of information security changes. "Subsequently to the events of January we hired external consultants and implemented a range of security improvements which include hashing and salting of our passwords. We have also implemented the need for consumers to use stronger passwords and made various other improvements," Bolton said. "We sincerely apologize for the inconvenience this has caused our members."

In other data breach news, software development project website GitHub began warning users Tuesday that attackers, using almost 40,000 different IP addresses, had launched a rapid brute-force attack against the website that resulted in a number of weak passwords having been cracked. The company has cancelled affected users' passwords and will force them to choose a new -- and strong -- replacement password. The company said it's also put new rate-limiting features in place to better block future attacks of this nature.

"We sent an email to users with compromised accounts letting them know what to do. Their passwords have been reset and personal access tokens, OAuth authorizations, and SSH keys have all been revoked," GitHub security engineer Shawn Davenport said in a Tuesday blog post. "Affected users will need to create a new, strong password and review their account for any suspicious activity. This investigation is ongoing and we will notify you if at any point we discover unauthorized activity relating to source code or sensitive account information.

"Out of an abundance of caution, some user accounts may have been reset even if a strong password was being used," he added. "Activity on these accounts showed logins from IP addresses involved in this incident."

Multiple GitHub users have reported seeing a dozen or more access attempts to their accounts over the past day. "The list of IPs from China (& Indonesia, etc) -- that most are seeing on their page -- making failed login attempts, looks like a botnet or automated bruteforce on the GitHub authentication service," said one user on the Hacker News site. "Hit enough usernames with a dictionary attack and they'll get some accounts. I assume that GH are doing some basic rate-limiting or 'fail2ban' style blacklisting on these attempts."

Security researcher HD Moore, who created the Metasploit open source vulnerability testing framework -- and saw four failed login attempts to his account -- said GitHub had responded "admirably" to the breach by issuing a rapid notification to users and resetting accounts that appeared to have been exploited.

Going forward, besides choosing strong passwords, GitHub users can tap two-factor authentication, which the site introduced in September. That would have safeguarded any account that used it against the brute-force password-cracking attack. In the wake of that attack, GitHub's Davenport recommended that all users enable two-factor authentication if they hadn't already done so.

Knowing your enemy is the first step in guarding against him. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we examine the world of cybercriminals -- including their motives, resources, and processes -- and recommend what enterprises should do to keep their data and computing systems safe in the face of an ever-growing and ever-more-sophisticated threat. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
11/20/2013 | 1:58:54 PM
When love doesn't conquer all
Why am I not surprised that the most frequently used non-numeric password stolen by hackers hacking the Cupid Media dating site was "iloveyou."  Apprently love does NOT conquer all. 
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio