ARS Technica warns an attack on dating website Cupid Media exposed the personal details of 42 million user accounts. Besides names and e-mail addresses, the most worrying fact about the hack is that the attackers could also obtain the passwords and that these passwords were stored in plaintext, without any encryption. All Cupid accounts have had their passwords reset but users could be at risk for further attacks if they used the same email + password combination on other websites.
Making matters worse, many of the Cupid Media users are precisely the kinds of people who might be receptive to content frequently advertised in spam messages, including male enhancement products, services for singles, and diet pills.
The Cupid Media user records reviewed by Krebs contain the usual assortment of weak passwords. More than 1.9 million accounts were protected by 123456. Another 1.2 million used 111111. Users who used the same e-mail address and password to secure accounts on other sites are vulnerable to hijacking. Word of the Cupid Media compromise follows recent reports of password leaks from a host other sites or companies, including Adobe (150 million reversibly encrypted passwords), MacRumors forums (860,000), and web software developer vBulletin (number not disclosed).