Dating site Cupid Media left personal details and plain text passwords for 42 million users exposed after an attack earlier this year. The details included names, emails and birthdays for users of the dating service, according to Brian Krebs of Krebs on Security.
The data was discovered on the same server containing records for tens of millions of Adobe users leaked in a recent breach, according to Krebs.
The attack appeared to have been committed by the same group of hackers responsible for the Adobe hack and other attacks on companies including PR Newswire, according to The Register’s report.
Darknet’s report on the attack points out that no public announcement was made at the time of the intrusion – thought to be January 2013. Darknet also points out that 1.9 million users used the password, “123456”, which would have offered, the site says, no protection even if the passwords had been encrypted.
Krebs points out that a further 91,000 users employed, “iloveyou” as their password.
“In January we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts,” Andrew Bolton, Cupid Media’s MD told Krebs. “We are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification.”
Bolton said that many of the records referred to “old, inactive or deleted” accounts.
“Subsequently to the events of January we hired external consultants and implemented a range of security improvements which include hashing and salting of our passwords,” Bolton told Krebs. “We have also implemented the need for consumers to use stronger passwords and made various other improvements.”
Adobe admitted around 38 million active users may have had IDs and encrypted passwords accessed in a breach earlier this year, which were discovered on the same server as the data from Cupid Media.
ESET Researcher Stephen Cobb described the breach as “unprecedented” at the time, due to the fact that attackers also appeared to have accessed source code for Adobe’s Acrobat software – and the company now admits that source code for other products such as Photoshop also leaked.
ESET researcher Stephen Cobb says, “Access to the source code could be a major asset for cybercriminals looking to target computing platforms such as Windows or mobile operating systems such as Android.”
Author Rob Waugh, We Live Security