Hack of Cupid Media dating website exposes 42 million plaintext passwords

Before the bcryot&#x2F;scrypt advocacy and general shaming starts... I&#x27;ll just make the same comment I always do when this happens: the answer is not more sever side hashing.<p>Trusting remote services with plaintext passwords is broken to begin with. We shouldn&#x27;t give them the chance to mess this up. We need client side hashing and key-stretching that only something <i>like</i> SRP can provide:<p><a href="https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Secure_Remote_Password_protoco...</a><p>The sooner we stop pretending there are no better answers than sending the contents of a password field raw over the wire, over SSL or not, and the sooner the web browser vendors and W3C start fixing this, the better. TLS-SRP is a ray of hope, but we need lighter, easier to deploy solutions that work at the application level rather than below HTTP.<p>On what alternate reality are we living where the W3C are working on Javascript cryptography before improving basic, fundamental, built-in authentication?

Had to look it up - unrelated to okcupid. For those interested, here&#x27;s a list of their web properties: <a href="http://www.cupidmedia.com/services.cfm" rel="nofollow">http:&#x2F;&#x2F;www.cupidmedia.com&#x2F;services.cfm</a>

I can&#x27;t get my head around how this still happens.<p>I few years back I took over development of an old PHP website, which had a horrible code base (no framework or library, not even MVC). This site had around 30,000 users, all with plain text passwords.<p>It took me all of a couple of hours to get the site using bcrypt.<p>I&#x27;m not saying I&#x27;m some kind of super-rock-ninja-star developer, just that this is so easy to fix, even on monstrosity, legacy code bases.<p>There really is no excuse.

What gets me is that security professionals keep talking about layers of security. I don&#x27;t understand how many recent attacks have resulted in complete breaches.<p>Adobe had source code taken, vB gave over pretty much complete server access.<p>You now have Cupid Media not even hashing passwords. The final defense of user information ignored..<p>It took me 3 days to implement password security on a legacy system. Implemented password strength requirements. Users trying to sign in with weak passwords were flagged and forced to change their password to meet new requirements. Plain text passwords were hashed with bcrypt. One guy.. 3 days.<p>The UK has ICO. I would like to see these getting involved in cases like this. Where they can fine websites catering to UK users who show negligence when storing user information. If it is not currently within their powers I would like to see a law change. There should be more accountability for website owners.<p><a href="http://www.ico.org.uk/" rel="nofollow">http:&#x2F;&#x2F;www.ico.org.uk&#x2F;</a>

What this story shows is that sometimes &#x27;12345&#x27; makes sense as a password - i.e. when credential security doesn&#x27;t matter to the user. If I use &#x27;11111&#x27; to sign up for a onetime visit to a website, then there&#x27;s no nexus with my online banking account other than an email address - assuming even the most feeble attempt at picking a &#x27;secure&#x27; password for my banking.<p>This is why it is often silly when articles condemn users for weak passwords when a password list is stolen. The proper assumption is that any password I use is stored and transmitted in plain text and just now falling into the hands of bad people.<p>This is the reason that until I started expressing this idea on HN, that my HN password was &quot;hackernews&quot;. If HN was breached, I was no less secure. Sans the pursuit of lolz, it wasn&#x27;t even worth trying to guess.<p>Of course, I changed it to something harder to prevent mischief since some individuals might have seen my comments as a challenge.

Just a random question: Is there anything that gives companies incentive to prevent such hacks? It seems that there is no consequences at all, except for some loss of reputation in tech community. Is there a way to put legal pressure on tightening up security?

&gt; Making matters worse, many of the Cupid Media users are precisely the kinds of people who might be receptive to content frequently advertised in spam messages, including male enhancement products, services for singles, and diet pills.<p>Oh wow. So Internet dating users are generally stupid, under-endowed, desperate and overweight?

And now we wait for the dump to show up... will be usefull, larger then the rockyou plain.

We can help in some small way. Advocate for the use of password managers like LastPass and KeePass that use a different securely generated pw for each site.

Still in web 0.0 storing passwords in plain text? Awful.

Anyone know where to find the password dump?

This was already very clear. The whole website was flawed and it probably was known by individuals for a longer time... Bypass payments, change other people&#x27;s profile, read other people&#x27;s messages. It does not stop here.

This is getting ridiculous.<p>When are we going to see legislation enacted to take these people to task?<p>Surely there is a case to be made that their negligence causes (or has the potential to cause) real harm to their users.<p>We need a Saul Goodman to put together a class action.

Time for civil liability for these breaches. At this point the risk of storing plaintext passwords is known enough that it should qualify as negligence.

Next article on Hacker News: &quot;Hack of Cupid Media dating website exposes xx million fake dating profiles&quot;?

So that&#x27;s what - 30 million male users, 1 million female, and 11 million spam-and-scam bots?

Tangentially related: I am a lifelock member (not sure if its worth it, but gives me some peace of mind), and recently got email alerts from them saying my adobe login info was found for sale on several blackmarket sites.

After the adobe&#x2F;cupid breaches, it is high time some governing body mandates every website to reveal on their privacy policy page how passwords are stored on their servers.

Anyone have a copy of the password list? 42 million passwords would be fun to analyze.

maybe i am just stupid, but how are password managers secure?<p>i&#x27;ve seen people using them, and if i were of a less honourable persuasion i could abuse that quite easily... on the other hand, its impossible for me to steal information from out of their brain (so far at least).