Unfortunately for Cupid, which has 30 million users, it kept member names, email addresses, passwords and birthdays on the same server that hackers broke into to lift information from Adobe, PR Newswire and the National White Collar Crime Center (NW3C) in recent high-profile heists.
Andrew Bolton, Cupid’s managing director, told Krebs that the breach happened in January, and that the company notified the affected love-seekers.
“In January we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts,” he said. “We are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification.”
He also said that many of the accounts in the stolen database were inactive or had been previously deleted. That echoes Adobe’s recent breach – a massive compromise of 150 million people’s email and password information – where only 38 million active users in the leaked database were notified, under the same reasoning that it’s unnecessary to take action on inactive accounts.
But, Krebs said that “all of the Cupid Media users I’d reached confirmed their plain text passwords as listed in the purloined directory,” he wrote in his blog. And regardless, “too many people reuse the same passwords at multiple sites, meaning a compromise like this can give thieves instant access to tens of thousands of email inboxes and other sensitive sites tied to a user’s email address,” he added.
Most users registered for the site with Gmail, Hotmail or Yahoo addresses – which are unlikely to have been changed, regardless of whether or not the individuals still use Cupid. As such, the incident is a spammer’s paradise as well.
Bolton also said that Cupid hired external consultants and implemented a range of security improvements that include hashing and salting of passwords—and, it’s requiring consumers to use stronger passwords. In the breach, Krebs noted that 10% of the users employed simple passwords, with “123456” being used a whopping 1.9 million times.