Why a hacked dating site is bad news for everybody

"Cupid Media" are an American company who provide a range of "niche" dating websites ("Meet Kenyan Singles!", "Meet Muslim Singles!", "Meet Interracial Singles!"). Earlier this year, they fell victim to a security breach and their entire database of over 42 million users was downloaded. Ouch. This sort of security breach is sadly becoming more and more common these days, which is why service providers apply encryption to their database contents - meaning that even if their users' data is stolen, it will still be somewhat secure. Only Cupid Media hadn't done this. Their entire database was completely unencrypted, meaning the names, e-mails, passwords and birth-dates of every user that had ever registered with them were immediately available to those pesky hackers (and whoever they in turn choose to pass them on to). Now this obviously isn't great news for Cupid Media's customers, but the situation can be rectified - a mass resetting of passwords and e-mailing of users will have prevented any abuse of those accounts, and thankfully their database didn't contain any credit card data. A large portion of those accounts are likely to have been inactive as well.

However, there's worse news for all of us (you, me, everyone). It's the fact those passwords were unencrypted. To explain, we first need to have a crash course in password hacking...

In this modern age, passwords are nearly always protected with a one-way "hashing" algorithm, such as MD5 or SHA. This converts the user's input, say "mypassword", into something like "34819d7beeabb9260a5c854bc85b3e44". Not only does that give you something which is completely unidentifiable as the original string, but which cannot be reverse engineered. It's not just difficult, it's impossible. The only way to crack that is to hash different variations until you get an output that exactly matches the string you're trying to break - then you know you've found the input. Using brute-force (trying every single possible combination of characters) would take several hundred years to break just one, eight-character long password. So, happy days right? Nup.

Brute-force is old school. These days, there are several pieces of software freely available for cracking hashed passwords. Rather than using brute force, these tools use "dictionary attacks", where instead of trying every single combination, they use sets of likely words (like "password") and then apply known permutations (like "password123" or "Pa55word!"). This means you (or rather the hacker) has less permutations to try out, resulting in a significantly faster cracking time. With the right settings and powerful enough (but off-the-shelf) hardware, we're no longer talking years, days or even seconds. We are talking milliseconds.

So what's this got to do with the Cupid Media breach? Well dictionary attacks are called so because that's exactly what they used to be - they literally used the english dictionary as the basis for cracking attempts. But of course, that's still fairly inefficient - there's a lot of words in the dictionary that people almost certainly won't be using in passwords and there's a lot of words being for passwords (like people's names, mentions from pop culture) which are yet to be approved by the editors of the Oxford Dictionary. So instead, the hacking community has been learning from its successful breaches about the sort of words real people use in real passwords, and compiling word lists with a high likelihood of success. The most infamous example was when the gaming company, RockYou, was hacked in 2009 - revealing the 32 million plain text passwords of its users. This list of passwords was then whittled down to around 14 million unique words (things like "babygurl", "portugal", "samsung", "qwerty") - a perfect data set for breaking other passwords. Every breach like that helps the hackers become more efficient, and our current password protection less and less effective. Thanks to Cupid Media, there's now an even bigger batch of learning material out there now: fresh, up-to-date learning material.

So it's hard to end this article on a positive note, the situation is going to get a lot worse before it gets better. There are things we can learn though, and actions you can start taking today to better protect yourself online:

  • Use a different password for every site you use - the Cupid Media site didn't store credit card details, but the first thing hackers are going to do is try those e-mail and password combinations of sites that do.
  • Don’t assume it won’t happen to you - if you’ve ever saved your details on a website, then this is something that can happen to you.
  • Don't be lazy - 1.9 million of the passwords revealed on Cupid Media were "123456".
  • Use upper-case letters, and not just at the start of the password - it will mean you're immediately doubling the number of permutations required to crack it.
  • Include numbers and non-alphanumeric characters - again, it's more combinations required so more computing time. Try and avoid the obvious things though, like using '3's instead 'e's - they know to look for that.
  • Make it long - after the sixth character in length, cracking time increases exponentially. More is definitely better.
  • Use a password manager like LastPass, KeePass or 1Password - these bits of software will generate a lengthy, completely random password for every site you use and then store it in a local, encrypted file for you. This provides the double-whammy of having the most secure possible passwords and not having to remember all of them!

Picture credit: http://www.flickr.com/photos/mikebaird/2354116406/