DATING WEBSITE OUTFIT Cupid Media has been caught up in a security scandal that suggests that 42 million user credentials have been compromised.
The discovery was made by security researcher Brian Krebs of Krebs on Security. He found the data on the same server that contained data gained from hacking attacks on other well known organisations, including Adobe and PR Newswire.
Cupid Media, which is not the same as OK Cupid, which is a dating alternative, calls itself a "niche online dating network with over 30 dating sites offering Asian dating, Latin dating, Filipino dating, military dating and more."
Krebs says that he uncovered the data early in November and approached the firm about it. A response came eight days later, he added, from Andrew Bolton, the company's managing director.
Bolton told Krebs that it appears that the data came from a breach in January.
"In January we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts," he said.
"We are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification."
Krebs has posted an image from the database of emails and passwords with personal information redacted, and it shows that the documents are stored in plain text. Worse, perhaps, is the quality of the passwords, and almost two million are "123456".
Bolton told Krebs that a lot of the accounts were old and inactive, and that the actual number of affected people was well shy of 42 million.
"Subsequently to the events of January we hired external consultants and implemented a range of security improvements which include hashing and salting of our passwords. We have also implemented the need for consumers to use stronger passwords and made various other improvements," he added.
"We would like to thank you for bringing this issue to our attention and I can confirm that we are committed to investigate this matter further and make any additional improvements still required." µ
Attackers could 'easily compromise' an entire company by exploiting AV security flaws
Nobody knows it, but you've got a secret smiley
Plummeting pound forces firm's hand
'Nothing changes in the short term,' says Jim Killock