Article Lead Image

42 million dating-site passwords exposed in security breach

This wasn’t the kind of intimacy users were looking for.


Miles Klee


To be unlucky in love is bad enough, but to find out that someone is only interested in you for your password? That’s got to sting. Sadly, that’s the position some 42 million online daters past and present currently find themselves in, due to a security breach that occurred earlier this year. Though not all of them know they’ve been exposed.

Brian Krebs of KrebsOnSecurity encountered the Cupid Media data—in plaintext, no less—on a server where hackers had also stored files pilfered from Adobe and PR Newswire. Cupid is an Australian company that offers niche services based on country, lifestyle, and ethnicity. It has no corporate affiliation with OkCupid, whose users can rest easy (for now).

Krebs was able to break down the email address involved to make some curious observations; he noted that 56 Department of Homeland Security employees had registered for a Cupid site with their work account, for example. And since he didn’t have to decrypt the passwords, he was able to identify the most common: more than 1.2 million people went with “111111,” but nearly 2 million opted for the more sophisticated “123456.” Has nobody here seen Spaceballs? The alphabetic codes weren’t much better, and certainly sadder: “iloveyou,” “loveme” and “mylove” all made the top 10 in that category. Perennial favorite “password” shows up too. 

Cupid Media’s managing director, Andrew Bolton, confirmed that the leak was associated with a breach in January, noting that since those events, “we hired external consultants and implemented a range of security improvements which include hashing and salting of our passwords.” Still, it’s far from a sure thing that every user affected has been notified of the intrusion and taken steps to prevent themselves—especially since at least 12 million of them have “old, inactive or deleted accounts.”

The worry was never that someone might take control of your dating profile and impersonate you. It’s rather a question, as Krebs points out, of ending up on a spam list or opening the door to broader identity theft. If you’re the type to use the same password across multiple accounts (and if you’re using passwords this flimsy, it’s likely you are), any one of them could be vulnerable to unauthorized entry. Just one more reason to find romance in meatspace, it seems.  

H/T KrebsOnSecurity | Photo by Eduardo Acierno/Flickr  

The Daily Dot