Hackers reportedly breached servers in January belonging to Cupid Media, a niche dating service with 30 million users, stealing more than 42 million unencrypted passwords and various other sensitive data.
Cupid Media operates a variety of niche dating sites based on ethnicity, religion, physical appearance, special interests, lifestyle and more.
Brian Krebs, who first obtained information about the attack earlier this month, suggests that the Australia-based online dating service may have failed to remove information belonging to users who had deleted their accounts. This, Krebs said, is likely how the site ended up exposing the information of more users than are currently registered there.
The Cupid Media compromise, which the company’s managing director, Andrew Bolton confirmed to Krebs, demonstrates two troubling realities: users are still bad at creating passwords and some companies are still failing to encrypt user data, passwords in particular.
According to the report, the hack exposed the names, email addresses, and birthdays of current and former users as well. The stolen information was found on a server which contained information from other recent data breaches, including some of the 2.9 million customer records stolen from Adobe, uncovered by Krebs.
Krebs examined the passwords used on the Cupid Media service, making lists of the top-ten numeric and non-numeric passwords. What he found was not promising:
Graphs via Krebs on Security