Skip to main content

Dating site Cupid Media lost 42 million plain text passwords, didn't tell anyone

Online dating service company Cupid Media suffered a data breach earlier this year that exposed more than 42 million customer records, including names, email addresses, birthdays and passwords held in plaintext form.

The breach occurred in January 2013, and the company told no one for the last 11 months. Only the actions of security evangelist Brian Krebs uncovered the truth.

Cupid media describes itself as a "digital media and internet information services company that operates over 30 innovative, interactive dating sites focused on niche markets based on ethnicity, religion, physical appearance, sexual preference or special interests."

The Southport, Australia-based company, released a statement via their managing director, Andrew Bolton:

"In January we detected suspicious activity on our network." He continued, "based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts."

Similar to Adobe Systems after their catastrophic breach of 38 million user details, Cupid Media is claiming that it was only necessary to notify their active users, rather than all users who have ever opened an account with them.

As Krebs writes, "The danger with such a large breach is that far too many people reuse the same passwords at multiple sites."

This means that a compromise like this "can give thieves instant access to tens of thousands of email inboxes and other sensitive sites tied to a user's email address."

Indeed, Facebook has recently been mining the massive horde of Adobe data, and notifying users who have reused the same email and password for both accounts.

Perhaps more worrying is the domains to which many of these email addresses are registered. While 17.4 million of the users used Yahoo Mail addresses, and 13.5 million used Hotmail, 9,844 users used .gov email addresses, suggesting that they are US government employees.

Shockingly, 56 users registered with domains – the US Department of Homeland Security. This has the potential, then, to be an embarrassment not only for a single Australian dating site company, but for the US national security infrastructure.

At a roundtable discussion organised by Trend Micro today, Vinod Bange, partner at law firm Taylor Wessing, said that "at the moment we're seeing only certain companies and certain sectors who are forced to mandatorily reveal when their data has been breached."

This has led to a dangerous situation in which not only are companies not obliged to reveal when passwords and data have been lost, but where they are actually seeing a disincentive in the form of loss of reputation for data security.

One thing's for certain: The Cupid Media debacle isn't the last enormous data breach we'll hear about – although hopefully it is the last of 2013.