OkCupid Users Victims of Credential Stuffing

Written by

Love is in the air this week, but cyber-criminals are reportedly targeting user accounts on dating sites like OkCupid ahead of Valentine’s Day. Multiple news outlets have reported that OkCupid users say their accounts have been hacked, which the company says is likely the result of credential stuffing.

“There has been no security breach at OkCupid. All websites constantly experience account takeover attempts and there haven't been any increases in account takeovers on OkCupid. There's no story here,” a spokesperson shared in a statement.

According to the website's Help page, “Account takeovers...happen because people have accessed your login information. That can happen in a few ways. The simplest, of course, is using a password that's easy to guess. Another option is because of a breach on another site. If you use the same password on several different sites or services, then your accounts on all of them have the potential to be taken over if one site has a security breach.”

Given that 2018 was a record-breaking year for the number of compromised records exposed in data breaches, it’s likely that hackers are able to purchase user credentials on the dark web; however, if a malicious actor attempts an account takeover by using stolen credentials, two-factor authentication (2FA) can stop them from gaining access. OkCupid does not use 2FA.

“With so many consumer apps available, it is more important than ever for people to be extra diligent about how they manage their personal access to data since consumer-facing breaches can potentially expose the enterprise as well,” said Juliette Rizkallah, chief marketing officer at SailPoint. “More hackers are using credential stuffing techniques in which they take advantage of users who are not following password best practices so that they can breach multiple accounts, including business applications, by the same user.”

While people can’t go back in time to protect what data may have been compromised, they can use this as an opportunity to get familiar with password management best practices to avoid being targeted by a credential stuffing hack. Some simple measures that people can easily implement right now include using a unique password for every application or account, and making sure the password is long and more complex – the longer and more complex the password, the safer it will be. After all, protecting identity is key to the safety of your own personal data but also to the security of sensitive company data and files, too.”

Consumers are often the weakest link, which is true even when it comes to protecting their own privacy. “Passwords are frequently reused across sites and legacy endpoint protection often doesn’t pick up certain malicious tools such as keyloggers,” said Terence Jackson, chief information security officer at Thycotic.

“This highlights the need for consumers to practice better cyber hygiene, for example using a password manager, avoiding risky sites and applications and maybe even avoiding services that don’t offer MFA.  It’s also likely that some of the OkCupid users were phished and willingly handed over access to their accounts as phishing attacks have gotten more sophisticated and prevalent.”

What’s hot on Infosecurity Magazine?