Internet

Online dating network hit with tens of millions of passwords hacks 

Nov. 20, 2013 at 3:00 PM ET

Cupid Media, a niche dating site based in Australia, admitted to a password breach in January.
Cupid Media
Cupid Media, a niche dating site based in Australia, admitted to a password breach in January.

As many as 42 million people from around the globe had their information stolen from an online dating network, including names, email addresses, unencrypted passwords, and dates of birth, according to a report published by security researcher Brian Krebs.

The Australian-based Cupid Media, which owns more than 30 niche dating sites such as AsianDating.com and and BrazilianCupid.com, has disputed that number, but admitted to Krebs that a breach did occur in January 2013.

Why is this such a big deal? Because 42 million is one of the largest breaches to happen this year, made worse by the fact that the exposed passwords were stored as plain text.

Many people aren't vigilant about creating a different password for every site they log onto, which is why unencrypted passwords are so problematic. 

"Even the most inept web companies usually use a cryptographic hash to represent user passwords," Chester Wisniewski, senior security adviser at Sophos, told NBC News in an email. "Not only does this allow crooks to potentially impersonate [users] elsewhere, it also allows unscrupulous employees at their own organization to log in to users' accounts without authorization."

In this case, according to information reviewed by Krebs, 34 million of the Cupid Media users registered with email addresses from Yahoo, Hotmail and Gmail. Another reason to worry: More than 1.9 million of the hacked accounts used the classic password 123456, while another 1.2 million used 111111. (The top non-numeric password was reportedly "iloveyou," followed by "lovely," "qwerty" and "password.")

While Cupid Media says it only has 34 million users, the report claimed that the discrepancy between that number and the 42 million breached accounts could be attributed to the fact that "many companies have a habit of storing data on customers who are no longer active."

Andrew Bolton, Cupid Media’s managing director, told Krebs that all of the company's affected users had been notified in January after the breach and that their passwords had been reset. 

NBC News attempted to contact Cupid Media, but the company did not immediately respond. 

The breach happened on the same server as the recent Adobe hack, which, according to the company, resulted in 38 million user mail addresses, encrypted passwords and password hints being compromised. Earlier this month, however, security firm LastPass claimed that information from more than 150 million user accounts had been exposed.

Despite the size of the Adobe breach, the Cupid Media hack is probably worse, claimed Wisniewski.

"The unencrypted nature of the sensitive information would arguably make this the worst breach of 2013," Wisniewski wrote. "While Adobe lost 150 million records, they had at least protected the user account information with encryption, albeit incorrectly."

Keith Wagstaff writes about technology for NBC News. He previously covered the tech beat for TIME's Techland and wrote about politics as a staff writer at TheWeek.com. You can follow him on Twitter at @kwagstaff and reach him by email at: Keith.Wagstaff@nbcuni.com

TOP