Attacks/Breaches
11/20/2013
12:46 PM
Connect Directly
RSS
E-Mail
50%
50%

Cupid Concedes January Hack, 42 Million Passwords Stolen

Separately, Github forces some users to reset weak passwords following a rapid attack launched via 40,000 IP addresses.

Online dating service Cupid Media this week confirmed that it suffered a data breach in January 2013. The breach apparently led to the theft of 42 million users' names, email addresses, birthdates, and passwords, which the company stored in plaintext format.

The breach was discovered -- and publicly disclosed -- by security reporter Brian Krebs, who found the Cupid data sitting on a server that also stored stolen information from such organizations as PR Newswire, the National White Collar Crime Center (NW3C), and Adobe. While the trove of information stolen from Adobe appears to include details for 150 million people, to date the company has only notified 38 million customers that their personal details may have been compromised.

Unlike Adobe, which encrypted its stored passwords -- albeit in a weak and easy-to-crack manner -- Cupid Media failed to encrypt its passwords at all, instead storing them in plaintext format. As a result, the hackers behind the breach would have been immediately able to access not only Cupid accounts, but also any other online accounts that reused the same email address and password.

[Insiders may be a bigger threat to your company's data than hackers. See Cyber Insecurity: When Contractors Are Weak Link.]

Cupid said that after it discovered the breach, it notified some users and required them to reset their passwords. "In January we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts," Andrew Bolton, Cupid Media's managing director, told Krebs via email. "We are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification."

But Krebs reported that multiple Cupid users that he contacted -- whose account information was contained in the trove of stolen information -- still used the passwords that had been stolen by the attackers 10 months ago. Many users had also selected weak and easy-to-guess passwords. According to Krebs, for example, the most frequently used non-numeric password on the site -- employed by 91,269 people -- was "iloveyou."

Cupid Media's website says the company has 30 million active customers across North and South America, Europe, Asia Pacific, and the Middle East, and maintains 30 different dating sites. So if information on 42 million users was stolen, the company likely stored account information -- including passwords -- for both current and former users.

Should Cupid Media have issued a public data breach notification about the breach, back in January? The company is based in Australia, and while the country's Senate earlier this year debated a bill that would have created a mandatory data breach notification law, the bill ultimately failed in the face of strong business resistance.

A spokesman for Cupid Media didn't immediately respond to a request for comment -- sent outside Australian business hours -- about exactly how many current and former users were affected by the breach.

Online dating company users may feel more than a broken heart due to hack. (Source: Flickr user CarbonNYC)
Online dating company users may feel more than a broken heart due to hack.
(Source: Flickr user CarbonNYC)

But the company told Krebs that after discovering the January breach, it made a number of information security changes. "Subsequently to the events of January we hired external consultants and implemented a range of security improvements which include hashing and salting of our passwords. We have also implemented the need for consumers to use stronger passwords and made various other improvements," Bolton said. "We sincerely apologize for the inconvenience this has caused our members."

In other data breach news, software development project website GitHub began warning users Tuesday that attackers, using almost 40,000 different IP addresses, had launched a rapid brute-force attack against the website that resulted in a number of weak passwords having been cracked. The company has cancelled affected users' passwords and will force them to choose a new -- and strong -- replacement password. The company said it's also put new rate-limiting features in place to better block future attacks of this nature.

"We sent an email to users with compromised accounts letting them know what to do. Their passwords have been reset and personal access tokens, OAuth authorizations, and SSH keys have all been revoked," GitHub security engineer Shawn Davenport said in a Tuesday blog post. "Affected users will need to create a new, strong password and review their account for any suspicious activity. This investigation is ongoing and we will notify you if at any point we discover unauthorized activity relating to source code or sensitive account information.

"Out of an abundance of caution, some user accounts may have been reset even if a strong password was being used," he added. "Activity on these accounts showed logins from IP addresses involved in this incident."

Multiple GitHub users have reported seeing a dozen or more access attempts to their accounts over the past day. "The list of IPs from China (& Indonesia, etc) -- that most are seeing on their page -- making failed login attempts, looks like a botnet or automated bruteforce on the GitHub authentication service," said one user on the Hacker News site. "Hit enough usernames with a dictionary attack and they'll get some accounts. I assume that GH are doing some basic rate-limiting or 'fail2ban' style blacklisting on these attempts."

Security researcher HD Moore, who created the Metasploit open source vulnerability testing framework -- and saw four failed login attempts to his account -- said GitHub had responded "admirably" to the breach by issuing a rapid notification to users and resetting accounts that appeared to have been exploited.

Going forward, besides choosing strong passwords, GitHub users can tap two-factor authentication, which the site introduced in September. That would have safeguarded any account that used it against the brute-force password-cracking attack. In the wake of that attack, GitHub's Davenport recommended that all users enable two-factor authentication if they hadn't already done so.

Knowing your enemy is the first step in guarding against him. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we examine the world of cybercriminals -- including their motives, resources, and processes -- and recommend what enterprises should do to keep their data and computing systems safe in the face of an ever-growing and ever-more-sophisticated threat. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/20/2013 | 1:58:54 PM
When love doesn't conquer all
Why am I not surprised that the most frequently used non-numeric password stolen by hackers hacking the Cupid Media dating site was "iloveyou."  Apprently love does NOT conquer all. 
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.