My friend Brian Krebs has done it again. Brian has just been breaking one big story after another over at his Krebs on Security blog. For those not familiar, Brian is a former reporter for the Washington Post. He left a few years ago to go out on his own. Since then, he has become perhaps the leading blogger on security. He consistently wins the most awards at the Security Blogger Awards every year and is held in the highest esteem by those in the security blogging industry. Krebs's latest report details the stealing of perhaps as many as 42 million clear text passwords and personal information from online dating site Cupid Media.
In case you don't know the name Cupid Media, these are the folks who run niche dating sites where you meet people from certain racial or ethnic backgrounds, even certain religious backgrounds. They are perhaps the biggest niche dating service in the world. According to Krebs's report, they have 30 million active members, but Brian says as many as 42 million accounts were pilfered.
What makes it worse is that the information stored by Cupid was not even encrypted! That's right. The personal information, including names, email addresses, dates of birth and passwords, were stored in clear text files that the hackers were able to access. No brute force to crack the hash or anything like that. They just had toread the file. That is just ridiculous.
Looking at the list of passwords contained in the stolen accounts list shows the same old sad story. Almost 2 million of the accounts use 123456 for their six-character passwords. The list is rounded out by the usual suspects with a generous amount of iloveyou thrown in. Here is the list of top numeric passwords and a list of top alpha/numeric from the stolen accounts:
Some might say that with so many people putting down false information on these dating sites they don't take security too seriously anyway, and that may explain all of the easy passwords. Users didn't value the information they were protecting. While that may have some validity, the sad truth is that many sites, unless they have strong password policies in place, have a similar dismal record on the passwords used.
For me, the real answer is getting rid of passwords altogether. We need a better way of safeguarding our data than using passwords. I have advocated password managers both here and in dealing with clients, friends and family for years, yet people just don't use them in sufficient numbers. I don't think they ever will. Two-factor authentication, biometrics, something else has to rise to the top here and free us all from password purgatory where we see breaches like this and at Adobe before it and so many places before that.
In the meantime, if you have a Cupid account, go change your password if you have not done so already. Most of the accounts on Cupid were from Hotmail, Gmail and Yahoo accounts, but surprisingly there were a few from the Department of Homeland Security (if they were real). Probably not a great place to be using your work email address.
Remember when you put your personal data online anywhere, you are relying on the provider storing it for security. If it is not important to you, then that's fine, but if it is you should check out what they are doing to safeguard your information.
In the meantime you should keep an eye on Brian Krebs blog for updates on this and other data breach news.