Cupid Media Breach Exposes 42 Million Users' Passwords in Plain Text
While many of the accounts are inactive, those passwords may well have been reused on other sites.
Krebs on Security's Brian Krebs reports that data from the Australian dating site Cupid Media was found on the same server where hackers had stored stolen records from Adobe, PR Newswire and the National White Collar Crime Center (NW3C).
The data includes more than 42 million customers' names, e-mail addresses, birthdates and passwords -- all in plain text.
Cupid Media managing director Andrew Bolton told Krebs that the data appears to be connected to a breach that took place in January 2013. "In January we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts," Bolton said.
Bolton also told Krebs that "a large portion of the records located in the affected table related to old, inactive or deleted accounts" -- but as Krebs notes, inactive users who reused their passwords on other sites are still at risk, and may never be notified of the breach.
"It has become exceedingly clear over the last several years that password reuse is one of the most significant threats to average Internet users," Patrick Thomas, security consultant at Neohapsis, said in a statement. "Using the same password on multiple sites risks exposing that password if any sites are breached; the excellent security of one site is entirely nullified if attackers can harvest the correct password from a breach of a less secure site. Most Internet users will be far better off using random, unique passwords simply writing them down, or taking advantage of password vault programs that help generate and store passwords."
Photo courtesy of Shutterstock.