42 million passwords exposed following massive dating website hack

Graham Cluley @gcluley

In what must rate as one of the worst password security breaches ever, it has been discovered that the names, addresses, dates of birth and unencrypted passwords of over 40 million online daters have been stolen by hackers.

Yes, that’s right, the passwords were not protected at all. They were stored by the hacked company in *plaintext* format. A disaster waiting to happen…

Online dating user information. Source: Brian Krebs
Online dating user information. Source: Brian Krebs

Security blogger Brian Krebs has reported that an intrusion at online dating firm Cupid Media earlier this year resulted in hackers getting away with the haul of valuable data earlier this year. It has since been discovered on a web server, alongside data stolen in other hacks, including a recent attack against Adobe.

Asian Dating website Cupid Media is a firm based in Queensland, Australia, that runs a wide variety of niche dating websites including AsianDating.com, ChristianCupid.com, SingleParentLove.com, GayCupid.com, and ThaiLoveLinks.com amongst many others.

Email Sign up to our newsletterSign up to Graham Cluley’s newsletter - "GCHQ"
Security news, advice, and tips.

In conversation with Krebs, Cupid Media managing director Andrew Bolton said that the database included details of inactive users, as well as current customers, and was probably related to a security breach that occurred at the company in January 2013.

Andrew Bolton told Brian Krebs:

“In January we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts. We are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification.”

What’s alarming is that there doesn’t appear to have been any media reports confirming that a security incident involving customer data occurred at Cupid Media in January 2013. That is very surprising if such a large number of users were put at risk.

Did customers not get informed? Did the firm sweep it under the carpet?

Right now, the true facts remain unclear.

However, what is very clear is that many of the passwords exposed in this latest security breach are woefully bad choices by Cupid Media’s users.

Here is a list of the ten most commonly used passwords, according to the Cupid Media customer database seen by Brian Krebs:

PasswordNumber of times used
1234561,902,801
1111111,212,235
123456789574,914
1234567173,235
12345678140,734
000000107,996
iloveyou91,269
123456789081,775
??????79,046
12312379,013

Pretty pitiful. And the same can be said for the top non-numeric passwords:

PasswordNumber of times used
iloveyou91,269
lovely54,045
qwerty40,023
password37,241
azerty33,579
loveme32,645
aaaaaa30,273
mylove28,266
iloveu23,787
zxcvbnm20,362

These passwords would be abysmal choices if the websites had been storing them in a secure, encrypted format. However, they apparently weren’t even doing that – storing the passwords in plaintext, meaning they were instantly readable by the human eye as easily as you are reading this password right now.

Of course, it’s possible that Cupid Media has mended its ways and now stores its dating customers’ passwords in a more secure fashion. Let’s hope so.

But in the meantime, if you are a user of any of these websites, you need to ensure that you are not using the same password on any other website, and always use a password that is hard to guess and tricky to crack.

The truth is that you should never use the same password on multiple websites.

If you do make the mistake of reusing passwords, you are running the risk of having your password compromised in one place (perhaps via a hack like this, a phishing attack or keylogging spyware) and then hackers using it to unlock your other online accounts.

If you find passwords a burden – simply use password management software like Bitwarden, 1Password, and KeePass.

Read more about the Cupid Media hack on the Krebs on Security website.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

4 Replies to “42 million passwords exposed following massive dating website hack”

    1. Yeah, people are even writing about it on Santander's facebook now (see Yvonne Law's post from Nov 16 at https://www.facebook.com/santanderuk?fref=ts&filter=2 )

      My own (uniquely given to Santander) email address is now receiving the generic "we tried to deliver a parcel, please open this .zip file" trojans rather than the message being specific to financial instituions. Maybe this is a sign that the original perps have now sold their stash of email addresses to lower level crims?

      1. @Sant Customer, I am Yvonne's husband, we got nowhere with our complaint, can I ask if you made a formal complaint and if so whether you got anywhere? We are contemplating contacting the media about it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.