BreachExchange mailing list archives
Dear John, thoughts on the Cupid Media breach
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 26 Nov 2013 01:04:13 -0700
http://blogs.csoonline.com/data-privacy/2835/dear-john-thoughts-cupid-media-breach There has been a veritable orgy of large data breaches over the last couple years. While a lot of folks have been aware of the major breaches that have come down the pipe, there is one that stands out as a "wait, what?" moment in time. That would belong to Cupid Media.
From Cupid Media:
"Online safety "We believe our customers deserve peace of mind. Cupid Media undertakes every possible method necessary to ensure a secure environment within which members can look for a potential partner. We use an advanced fraud prevention system and routine member checks to provide the highest level of internet protection possible on a dating service." The irony is painfully thick in the case. I'm reminded of the Great and Powerful Oz sitting behind the curtain demanding the adventurers to obey. Instead what we find is that yes, that Oz was not all that he was chalked up to be. Rather, a fraud. In Cupid Media's case I'm seeing some frightening parallels. 42 millions users of Cupid Media had their passwords exposed in a massive breach that appears to have not been previously disclosed. Nor does any mention of it appear on Cupid Media's site as of this writing. Apparently, my understanding of a "secure environment" is a flawed one based on the aforementioned passage. Sites get compromised all the time. I get that. There is no covering up the fact that it happens and will continue to happen as long as hands touch keyboards and software has defects. The law of the land. But, don't mislead your customers.
From AussieCupid, a Cupid Media property, this passage,
"5.3 Security of information "Unfortunately, no data transmission over the internet can be guaranteed as being totally secure. Whilst we strive to protect such information, we do not warrant and cannot ensure the security of any information which you transmit to us. Accordingly, any information which you transmit to us is transmitted at your own risk. Nevertheless, once we receive your transmission, we will take reasonable steps to preserve the security of such information." Define "reasonable". In this case it appears that the company had not even taken basic steps to secure the data of their customers. Passwords for 42 million customers were apparently stored in plain text. The passage on the Cupid Media property regarding "security of information" seemed oddly familiar. So, I pasted it into Google. What I received was 3,550 results. I cringe at the thought that those other sites might have a similar approach to data security.
From the article by Brian Krebs which broke the story this past Tuesday,
“In January we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts,” Bolton said. “We are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification.” Krebs noted that there was no public record to be found for the stated breach which apparently took place in January 2013. I even checked on the Way Back Machine and nope, there was no posting on the Cupid Media site at the time. Were you a customer of a Cupid Media property in January 2013? Did you receive an email from the company? If so, would you mind sending it to me? I would love to share it, with your name removed of course. When it is your responsibility to secure your customers data, do it. Don't pee on my leg and tell me that it's raining.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: # OWASP http://www.appsecusa.org # Builders, Breakers and Defenders # Time Square, NYC 20-21 Nov o()xxxx[{::::::::::::::::::::::::::::::::::::::::> Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Dear John, thoughts on the Cupid Media breach Audrey McNeil (Dec 03)