
Hack of Cupid Media dating website exposes 42 million plaintext passwords - fmavituna
http://arstechnica.com/security/2013/11/hack-of-cupid-media-dating-website-exposes-42-million-plaintext-passwords/
======
nly
Before the bcryot/scrypt advocacy and general shaming starts... I'll just make
the same comment I always do when this happens: the answer is not more sever
side hashing.

Trusting remote services with plaintext passwords is broken to begin with. We
shouldn't give them the chance to mess this up. We need client side hashing
and key-stretching that only something _like_ SRP can provide:

[https://en.wikipedia.org/wiki/Secure_Remote_Password_protoco...](https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol)

The sooner we stop pretending there are no better answers than sending the
contents of a password field raw over the wire, over SSL or not, and the
sooner the web browser vendors and W3C start fixing this, the better. TLS-SRP
is a ray of hope, but we need lighter, easier to deploy solutions that work at
the application level rather than below HTTP.

On what alternate reality are we living where the W3C are working on
Javascript cryptography before improving basic, fundamental, built-in
authentication?

~~~
richardwhiuk
Realistically we need HTTP digest authentication [0] to use a better hash
function then md5, and we need it to be deployed by websites.

[0]
[http://en.wikipedia.org/wiki/Digest_access_authentication](http://en.wikipedia.org/wiki/Digest_access_authentication)

~~~
revelation
Realistically the problem with that isn't even MD5, it's the modal popup that
hasn't changed in any browser since 1999.

It's so unbelievably popular, Chrome copied the behavior despite not existing
in 1999. It's all over mobile, too...

~~~
nitrogen
I wonder if the original reason for using a modal OS-level popup was to prove
that it's not a fake prompt displayed by a malicious site.

------
mfkp
Had to look it up - unrelated to okcupid. For those interested, here's a list
of their web properties:
[http://www.cupidmedia.com/services.cfm](http://www.cupidmedia.com/services.cfm)

~~~
onion2k
Ironically, one of their sites is "OnlineDatingSafetyTips.com".

~~~
matthuggins
Pretty sure it's not ironic since dating safety != system security.

------
MattBearman
I can't get my head around how this still happens.

I few years back I took over development of an old PHP website, which had a
horrible code base (no framework or library, not even MVC). This site had
around 30,000 users, all with plain text passwords.

It took me all of a couple of hours to get the site using bcrypt.

I'm not saying I'm some kind of super-rock-ninja-star developer, just that
this is so easy to fix, even on monstrosity, legacy code bases.

There really is no excuse.

~~~
mattmanser
Because of this:

If a site is using plaintext password often the owner _asked_ for it. They
wanted their users to be able to recover their passwords. And the dev didn't
understand why this was a bad idea. They need to be educated, convinced and
then convinced that the time you're about to spend on fixing this is more
important than the 101 other things going wrong because the original dev
wasn't very good. And isn't actually causing a single problem right now.

That also means that the password recovery function uses this code. Maybe
there's an auto-user generator when you sign up for the newsletter. The email
system obviously also uses that code. That also sometimes even means the
password is stored twice, once in the framework's user mgmt tables and once in
a user or person or the tblPRSN_UPDATED_OPTIMIZED_mc table. And just deleting
that column might cause all sorts of other problems. Setting it null might
cause bugs. Setting it empty string might cause a massive security hole as
there's a login mechanism you haven't even _found_ yet. (remember the dropbox
breach?)

It's never a 3 hour job to fix unless you're very bad at estimating, are
working on something extremely trivial or do a half-ass job, potentially
introducing a far worse security hole.

~~~
jiggy2011
It's quite possible the dev knew it was a bad idea and maybe even argued
against it but was told to implement it this way anyway.

The problem a dating site probably has is people who sign up accounts and then
stop using them. They want to send these users reminder emails in the hope
that some of them re-engage.

Problem is that some of these users have probably forgotten which password
they use for that website, and some % of those will not bother using the
password reset mechanism.

So someone in marketing has the bright idea of sending emails that include the
username/password combo, the dev explains why this is a terrible idea and then
gets overruled.

~~~
relix
I include an "Instant Login" link in each mail so the users don't need to
remember their password. It contains a unique time-sensitive token to identify
the user and instantly sign them in (much like a password reset). I learned
this technique from OKCupid, so no idea why they still had plaintext
passwords.

~~~
mortehu
It turns out Cupid Media is unrelated to OkCupid.

------
SilkRoadie
What gets me is that security professionals keep talking about layers of
security. I don't understand how many recent attacks have resulted in complete
breaches.

Adobe had source code taken, vB gave over pretty much complete server access.

You now have Cupid Media not even hashing passwords. The final defense of user
information ignored..

It took me 3 days to implement password security on a legacy system.
Implemented password strength requirements. Users trying to sign in with weak
passwords were flagged and forced to change their password to meet new
requirements. Plain text passwords were hashed with bcrypt. One guy.. 3 days.

The UK has ICO. I would like to see these getting involved in cases like this.
Where they can fine websites catering to UK users who show negligence when
storing user information. If it is not currently within their powers I would
like to see a law change. There should be more accountability for website
owners.

[http://www.ico.org.uk/](http://www.ico.org.uk/)

~~~
16s
Often times, the hack is through a web front-end. Back-end systems (such as
DBs) are heavily firewalled, logged, monitored, etc. and are generally very
well protected. Systems guys (OS and DB) know security pretty well and have
been doing it for a long time now.

Much of the web software that powers the front-end is complex (PHP, Java,
.Net, JS, CSS, SQL, includes, 3rd-party libraries from everywhere, etc). That
complexity has a broad attack surface that is difficult and time consuming to
test. And many devs are late to the security party (unless we're talking
OpenBSD developers).

Management wants to push out new features by X date. Devs have very little
time to test and are behind on security anyway. Hackers have all the time in
the world to poke at the web front-end and test every possible combination of
things until they finally get in.

In a nut-shell, that's the problem as I've seen it.

------
brudgers
What this story shows is that sometimes '12345' makes sense as a password -
i.e. when credential security doesn't matter to the user. If I use '11111' to
sign up for a onetime visit to a website, then there's no nexus with my online
banking account other than an email address - assuming even the most feeble
attempt at picking a 'secure' password for my banking.

This is why it is often silly when articles condemn users for weak passwords
when a password list is stolen. The proper assumption is that any password I
use is stored and transmitted in plain text and just now falling into the
hands of bad people.

This is the reason that until I started expressing this idea on HN, that my HN
password was "hackernews". If HN was breached, I was no less secure. Sans the
pursuit of lolz, it wasn't even worth trying to guess.

Of course, I changed it to something harder to prevent mischief since some
individuals might have seen my comments as a challenge.

~~~
mildtrepidation
This is a good argument for _unique_ passwords, not for _weak_ passwords. Weak
passwords only "make sense" if you really don't care whether your account is
compromised due to a very weak password.

~~~
leoedin
But often you don't care. The value of a throwaway account you made to
download a file is practically zero to you or an attacker. In the tradeoff in
simplicity (all my crappy throwaway accounts have the password 12345... easy!)
against security, simplicity wins.

If I only made an account on one of Cupid media's sites because I wanted to
see a picture, I wouldn't care whether my password was easily guessable.
Additionally, I'm fairly sure that an easy to make account with no access
privileges is completely worthless to an attacker as well, and so the
likelihood of anyone even attempting to compromise it is next to nothing.

------
stfu
Just a random question: Is there anything that gives companies incentive to
prevent such hacks? It seems that there is no consequences at all, except for
some loss of reputation in tech community. Is there a way to put legal
pressure on tightening up security?

~~~
l0gicpath
You are looking at necessity products built by large corporations whose
products are usually regarded as the best of breed in the market.

If you are a designer for instance, you'll most likely come to depend on Adobe
Photoshop. That means at some point you've created an account. Adobe got
breached and your data got leaked, you'll likely whine a little about it
online but unless you are willing to:

\- shift your work and relearn a new tool than Photoshop

\- navigate your way around closing your account (with the assumption that
your data is _actually_ deleted after account closure) which is rather hard in
most cases, no one likes losing users.

Then you'll likely just suck it up, do what you can and hope for the best.

On the other hand, you got small time (but growing - not web-scale yet-)
services/products that can't really afford losing a large number of users.
Those would worry most about security. Ironically, they'd stay off the grid
for long enough and wont become attack targets until they make it big.

But that's just really the security industry, no system is 100% secure. And
you never know if you've tightened your security enough until someone drills a
hole. Then you patch it.

Any self respecting corporate will have a security auditing policy. The so
called white-hat hackers or pen-testers. Good companies will run security
audits every now and then in hope to discover new security holes introduced by
software updates, system policy changes...etc.

As for legal pressure, it depends on what we are talking about. If you are a
payment processing company then any data breach is a violation of your PCI
compliance, which leads to a lot of bad PR and legal consequences.

If Facebook got breached and data was exposed, I doubt there is anything in
the law that reacts to such issue. Unless someone sues Facebook for damages,
then that's a whole different ball game.

The incentives are there for any business of all sizes. Legally? It depends.
It's those schmucks that screw us all, plaintext passwords and shit.

Edit: Fixed formatting.

------
Torn
> Making matters worse, many of the Cupid Media users are precisely the kinds
> of people who might be receptive to content frequently advertised in spam
> messages, including male enhancement products, services for singles, and
> diet pills.

Oh wow. So Internet dating users are generally stupid, under-endowed,
desperate and overweight?

~~~
albedoa
They wrote "many", not "generally".

And yes.

~~~
aestra
[citation needed]

------
markdown
This is getting ridiculous.

When are we going to see legislation enacted to take these people to task?

Surely there is a case to be made that their negligence causes (or has the
potential to cause) real harm to their users.

We need a Saul Goodman to put together a class action.

~~~
danenania
Yes, the government would surely do a great job legislating development
standards. Just look how terrifically they've handled software patents.

~~~
TomGullen
Free markets currently doing a pretty awful job of it as we keep learning.
Perhaps some government legislation would help.

~~~
danenania
All legislation would do is put a big layer of ineffective bureaucracy between
developers and getting work done.

Get the government involved and it won't be long before you need to fill out
15 forms and hire a lawyer to put your weekend project online. Is that the
kind of internet you want?

~~~
aestra
Yeah, all those building codes do is put a big layer of ineffective
bureaucracy between the people who architect and do construction and getting
work done.

Yeah, all those sanitation codes do is put a big layer of ineffective
bureaucracy between the people prepare food and getting work done.

------
NKCSS
And now we wait for the dump to show up... will be usefull, larger then the
rockyou plain.

------
mattholtom
We can help in some small way. Advocate for the use of password managers like
LastPass and KeePass that use a different securely generated pw for each site.

------
ibsathish
Still in web 0.0 storing passwords in plain text? Awful.

------
jstalin
Anyone know where to find the password dump?

~~~
Achshar
While this might sound not so appropriate at first but I too would like to
have the dump. Can result in some interesting password research.

------
diminoten
Anyone have a copy of the password list? 42 million passwords would be fun to
analyze.

------
sawthatcoming
This was already very clear. The whole website was flawed and it probably was
known by individuals for a longer time... Bypass payments, change other
people's profile, read other people's messages. It does not stop here.

------
fiatmoney
Time for civil liability for these breaches. At this point the risk of storing
plaintext passwords is known enough that it should qualify as negligence.

------
valvoja
Next article on Hacker News: "Hack of Cupid Media dating website exposes xx
million fake dating profiles"?

------
kstop
So that's what - 30 million male users, 1 million female, and 11 million spam-
and-scam bots?

------
brianbreslin
Tangentially related: I am a lifelock member (not sure if its worth it, but
gives me some peace of mind), and recently got email alerts from them saying
my adobe login info was found for sale on several blackmarket sites.

------
Jagat
After the adobe/cupid breaches, it is high time some governing body mandates
every website to reveal on their privacy policy page how passwords are stored
on their servers.

------
jheriko
maybe i am just stupid, but how are password managers secure?

i've seen people using them, and if i were of a less honourable persuasion i
could abuse that quite easily... on the other hand, its impossible for me to
steal information from out of their brain (so far at least).

~~~
lylejohnson
I've used 1Password (a popular password manager for the Mac) for several years
now. How could you "quite easily" hack those passwords, assuming that's what
you're implying?

~~~
diminoten
Keylogger.

~~~
bigdubs
Sure, but if you have that level of access to the machine, what's the point
you're making?

~~~
diminoten
I dunno, he asked a question and I answered it. I'm making no point.

