Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Cupid Concedes January Hack, 42 Million Passwords Stolen

Separately, Github forces some users to reset weak passwords following a rapid attack launched via 40,000 IP addresses.

Online dating service Cupid Media this week confirmed that it suffered a data breach in January 2013. The breach apparently led to the theft of 42 million users' names, email addresses, birthdates, and passwords, which the company stored in plaintext format.

The breach was discovered -- and publicly disclosed -- by security reporter Brian Krebs, who found the Cupid data sitting on a server that also stored stolen information from such organizations as PR Newswire, the National White Collar Crime Center (NW3C), and Adobe. While the trove of information stolen from Adobe appears to include details for 150 million people, to date the company has only notified 38 million customers that their personal details may have been compromised.

Unlike Adobe, which encrypted its stored passwords -- albeit in a weak and easy-to-crack manner -- Cupid Media failed to encrypt its passwords at all, instead storing them in plaintext format. As a result, the hackers behind the breach would have been immediately able to access not only Cupid accounts, but also any other online accounts that reused the same email address and password.

[Insiders may be a bigger threat to your company's data than hackers. See Cyber Insecurity: When Contractors Are Weak Link.]

Cupid said that after it discovered the breach, it notified some users and required them to reset their passwords. "In January we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts," Andrew Bolton, Cupid Media's managing director, told Krebs via email. "We are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification."

But Krebs reported that multiple Cupid users that he contacted -- whose account information was contained in the trove of stolen information -- still used the passwords that had been stolen by the attackers 10 months ago. Many users had also selected weak and easy-to-guess passwords. According to Krebs, for example, the most frequently used non-numeric password on the site -- employed by 91,269 people -- was "iloveyou."

Cupid Media's website says the company has 30 million active customers across North and South America, Europe, Asia Pacific, and the Middle East, and maintains 30 different dating sites. So if information on 42 million users was stolen, the company likely stored account information -- including passwords -- for both current and former users.

Should Cupid Media have issued a public data breach notification about the breach, back in January? The company is based in Australia, and while the country's Senate earlier this year debated a bill that would have created a mandatory data breach notification law, the bill ultimately failed in the face of strong business resistance.

A spokesman for Cupid Media didn't immediately respond to a request for comment -- sent outside Australian business hours -- about exactly how many current and former users were affected by the breach.

Online dating company users may feel more than a broken heart due to hack. (Source: Flickr user CarbonNYC)
Online dating company users may feel more than a broken heart due to hack.
(Source: Flickr user CarbonNYC)

But the company told Krebs that after discovering the January breach, it made a number of information security changes. "Subsequently to the events of January we hired external consultants and implemented a range of security improvements which include hashing and salting of our passwords. We have also implemented the need for consumers to use stronger passwords and made various other improvements," Bolton said. "We sincerely apologize for the inconvenience this has caused our members."

In other data breach news, software development project website GitHub began warning users Tuesday that attackers, using almost 40,000 different IP addresses, had launched a rapid brute-force attack against the website that resulted in a number of weak passwords having been cracked. The company has cancelled affected users' passwords and will force them to choose a new -- and strong -- replacement password. The company said it's also put new rate-limiting features in place to better block future attacks of this nature.

"We sent an email to users with compromised accounts letting them know what to do. Their passwords have been reset and personal access tokens, OAuth authorizations, and SSH keys have all been revoked," GitHub security engineer Shawn Davenport said in a Tuesday blog post. "Affected users will need to create a new, strong password and review their account for any suspicious activity. This investigation is ongoing and we will notify you if at any point we discover unauthorized activity relating to source code or sensitive account information.

"Out of an abundance of caution, some user accounts may have been reset even if a strong password was being used," he added. "Activity on these accounts showed logins from IP addresses involved in this incident."

Multiple GitHub users have reported seeing a dozen or more access attempts to their accounts over the past day. "The list of IPs from China (& Indonesia, etc) -- that most are seeing on their page -- making failed login attempts, looks like a botnet or automated bruteforce on the GitHub authentication service," said one user on the Hacker News site. "Hit enough usernames with a dictionary attack and they'll get some accounts. I assume that GH are doing some basic rate-limiting or 'fail2ban' style blacklisting on these attempts."

Security researcher HD Moore, who created the Metasploit open source vulnerability testing framework -- and saw four failed login attempts to his account -- said GitHub had responded "admirably" to the breach by issuing a rapid notification to users and resetting accounts that appeared to have been exploited.

Going forward, besides choosing strong passwords, GitHub users can tap two-factor authentication, which the site introduced in September. That would have safeguarded any account that used it against the brute-force password-cracking attack. In the wake of that attack, GitHub's Davenport recommended that all users enable two-factor authentication if they hadn't already done so.

Knowing your enemy is the first step in guarding against him. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we examine the world of cybercriminals -- including their motives, resources, and processes -- and recommend what enterprises should do to keep their data and computing systems safe in the face of an ever-growing and ever-more-sophisticated threat. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/20/2013 | 1:58:54 PM
When love doesn't conquer all
Why am I not surprised that the most frequently used non-numeric password stolen by hackers hacking the Cupid Media dating site was "iloveyou."  Apprently love does NOT conquer all. 
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19719
PUBLISHED: 2019-12-11
Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via the embeddedAuthRedirect page.
CVE-2019-19720
PUBLISHED: 2019-12-11
Yabasic 2.86.1 has a heap-based buffer overflow in the yylex() function in flex.c via a crafted BASIC source file.
CVE-2019-19707
PUBLISHED: 2019-12-11
On Moxa EDS-G508E, EDS-G512E, and EDS-G516E devices (with firmware through 6.0), denial of service can occur via PROFINET DCE-RPC endpoint discovery packets.
CVE-2019-19708
PUBLISHED: 2019-12-11
The VisualEditor extension through 1.34 for MediaWiki allows XSS via pasted content containing an element with a data-ve-clipboard-key attribute.
CVE-2019-19709
PUBLISHED: 2019-12-11
MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.