Home page logo

dataloss logo Data Loss mailing list archives

Dear John, thoughts on the Cupid Media breach
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 26 Nov 2013 01:04:13 -0700


There has been a veritable orgy of large data breaches over the last couple
years. While a lot of folks have been aware of the major breaches that have
come down the pipe, there is one that stands out as a "wait, what?" moment
in time. That would belong to Cupid Media.

From Cupid Media:

"Online safety
"We believe our customers deserve peace of mind. Cupid Media undertakes
every possible method necessary to ensure a secure environment within which
members can look for a potential partner. We use an advanced fraud
prevention system and routine member checks to provide the highest level of
internet protection possible on a dating service."

The irony is painfully thick in the case. I'm reminded of the Great and
Powerful Oz sitting behind the curtain demanding the adventurers to obey.
Instead what we find is that yes, that Oz was not all that he was chalked
up to be. Rather, a fraud. In Cupid Media's case I'm seeing some
frightening parallels.

42 millions users of Cupid Media had their passwords exposed in a massive
breach that appears to have not been previously disclosed. Nor does any
mention of it appear on Cupid Media's site as of this writing. Apparently,
my understanding of a "secure environment" is a flawed one based on the
aforementioned passage.

Sites get compromised all the time. I get that. There is no covering up the
fact that it happens and will continue to happen as long as hands touch
keyboards and software has defects. The law of the land. But, don't mislead
your customers.

From AussieCupid, a Cupid Media property, this passage,

"5.3 Security of information

"Unfortunately, no data transmission over the internet can be guaranteed as
being totally secure. Whilst we strive to protect such information, we do
not warrant and cannot ensure the security of any information which you
transmit to us. Accordingly, any information which you transmit to us is
transmitted at your own risk. Nevertheless, once we receive your
transmission, we will take reasonable steps to preserve the security of
such information."

Define "reasonable".

In this case it appears that the company had not even taken basic steps to
secure the data of their customers. Passwords for 42 million customers were
apparently stored in plain text.

The passage on the Cupid Media property regarding "security of information"
seemed oddly familiar. So, I pasted it into Google. What I received was
3,550 results. I cringe at the thought that those other sites might have a
similar approach to data security.

From the article by Brian Krebs which broke the story this past Tuesday,

“In January we detected suspicious activity on our network and based upon
the information that we had available at the time, we took what we believed
to be appropriate actions to notify affected customers and reset passwords
for a particular group of user accounts,” Bolton said. “We are currently in
the process of double-checking that all affected accounts have had their
passwords reset and have received an email notification.”

Krebs noted that there was no public record to be found for the stated
breach which apparently took place in January 2013. I even checked on the
Way Back Machine and nope, there was no posting on the Cupid Media site at
the time.

Were you a customer of a Cupid Media property in January 2013? Did you
receive an email from the company? If so, would you mind sending it to me?
I would love to share it, with your name removed of course.

When it is your responsibility to secure your customers data, do it.

Don't pee on my leg and tell me that it's raining.
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 


# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.

  By Date           By Thread  

Current thread:
  • Dear John, thoughts on the Cupid Media breach Audrey McNeil (Dec 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]