Attacks/Breaches
11/20/2013
12:46 PM
Connect Directly
RSS
E-Mail
50%
50%

Cupid Concedes January Hack, 42 Million Passwords Stolen

Separately, Github forces some users to reset weak passwords following a rapid attack launched via 40,000 IP addresses.

Online dating service Cupid Media this week confirmed that it suffered a data breach in January 2013. The breach apparently led to the theft of 42 million users' names, email addresses, birthdates, and passwords, which the company stored in plaintext format.

The breach was discovered -- and publicly disclosed -- by security reporter Brian Krebs, who found the Cupid data sitting on a server that also stored stolen information from such organizations as PR Newswire, the National White Collar Crime Center (NW3C), and Adobe. While the trove of information stolen from Adobe appears to include details for 150 million people, to date the company has only notified 38 million customers that their personal details may have been compromised.

Unlike Adobe, which encrypted its stored passwords -- albeit in a weak and easy-to-crack manner -- Cupid Media failed to encrypt its passwords at all, instead storing them in plaintext format. As a result, the hackers behind the breach would have been immediately able to access not only Cupid accounts, but also any other online accounts that reused the same email address and password.

[Insiders may be a bigger threat to your company's data than hackers. See Cyber Insecurity: When Contractors Are Weak Link.]

Cupid said that after it discovered the breach, it notified some users and required them to reset their passwords. "In January we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts," Andrew Bolton, Cupid Media's managing director, told Krebs via email. "We are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification."

But Krebs reported that multiple Cupid users that he contacted -- whose account information was contained in the trove of stolen information -- still used the passwords that had been stolen by the attackers 10 months ago. Many users had also selected weak and easy-to-guess passwords. According to Krebs, for example, the most frequently used non-numeric password on the site -- employed by 91,269 people -- was "iloveyou."

Cupid Media's website says the company has 30 million active customers across North and South America, Europe, Asia Pacific, and the Middle East, and maintains 30 different dating sites. So if information on 42 million users was stolen, the company likely stored account information -- including passwords -- for both current and former users.

Should Cupid Media have issued a public data breach notification about the breach, back in January? The company is based in Australia, and while the country's Senate earlier this year debated a bill that would have created a mandatory data breach notification law, the bill ultimately failed in the face of strong business resistance.

A spokesman for Cupid Media didn't immediately respond to a request for comment -- sent outside Australian business hours -- about exactly how many current and former users were affected by the breach.

Online dating company users may feel more than a broken heart due to hack. (Source: Flickr user CarbonNYC)
Online dating company users may feel more than a broken heart due to hack.
(Source: Flickr user CarbonNYC)

But the company told Krebs that after discovering the January breach, it made a number of information security changes. "Subsequently to the events of January we hired external consultants and implemented a range of security improvements which include hashing and salting of our passwords. We have also implemented the need for consumers to use stronger passwords and made various other improvements," Bolton said. "We sincerely apologize for the inconvenience this has caused our members."

In other data breach news, software development project website GitHub began warning users Tuesday that attackers, using almost 40,000 different IP addresses, had launched a rapid brute-force attack against the website that resulted in a number of weak passwords having been cracked. The company has cancelled affected users' passwords and will force them to choose a new -- and strong -- replacement password. The company said it's also put new rate-limiting features in place to better block future attacks of this nature.

"We sent an email to users with compromised accounts letting them know what to do. Their passwords have been reset and personal access tokens, OAuth authorizations, and SSH keys have all been revoked," GitHub security engineer Shawn Davenport said in a Tuesday blog post. "Affected users will need to create a new, strong password and review their account for any suspicious activity. This investigation is ongoing and we will notify you if at any point we discover unauthorized activity relating to source code or sensitive account information.

"Out of an abundance of caution, some user accounts may have been reset even if a strong password was being used," he added. "Activity on these accounts showed logins from IP addresses involved in this incident."

Multiple GitHub users have reported seeing a dozen or more access attempts to their accounts over the past day. "The list of IPs from China (& Indonesia, etc) -- that most are seeing on their page -- making failed login attempts, looks like a botnet or automated bruteforce on the GitHub authentication service," said one user on the Hacker News site. "Hit enough usernames with a dictionary attack and they'll get some accounts. I assume that GH are doing some basic rate-limiting or 'fail2ban' style blacklisting on these attempts."

Security researcher HD Moore, who created the Metasploit open source vulnerability testing framework -- and saw four failed login attempts to his account -- said GitHub had responded "admirably" to the breach by issuing a rapid notification to users and resetting accounts that appeared to have been exploited.

Going forward, besides choosing strong passwords, GitHub users can tap two-factor authentication, which the site introduced in September. That would have safeguarded any account that used it against the brute-force password-cracking attack. In the wake of that attack, GitHub's Davenport recommended that all users enable two-factor authentication if they hadn't already done so.

Knowing your enemy is the first step in guarding against him. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we examine the world of cybercriminals -- including their motives, resources, and processes -- and recommend what enterprises should do to keep their data and computing systems safe in the face of an ever-growing and ever-more-sophisticated threat. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/20/2013 | 1:58:54 PM
When love doesn't conquer all
Why am I not surprised that the most frequently used non-numeric password stolen by hackers hacking the Cupid Media dating site was "iloveyou."  Apprently love does NOT conquer all. 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.