Millions used '123456' as a password in breach affecting 42 million

Share this article:
Millions used '123456' as a password in breach affecting 42 million
Millions used '123456' as a password in breach affecting 42 million

Nearly 42 million names, email addresses and passwords belonging to clients of dating website company Cupid Media were reportedly discovered on the same server where hackers stored information stolen from Adobe, PR Newswire, LexisNexis and the National White Collar Crime Center (NW3C).

The credentials were stored in plaintext and nearly two million of the accounts used ‘123456' as a password, according to technology journalist Brian Krebs, who, along with Alex Holden, CISO at Hold Security, has been uncovering the details of these breaches. More than 1.2 million clients used ‘111111' as a password and nearly 575,000 used ‘123456789.'

Security firm Stricture Consulting Group revealed this month that ‘123456' was the password used by about two million of the roughly 38 million Adobe customers impacted in a breach disclosed in October. That incident involved the loss of credit card data and product source code, as well.

“It has become exceedingly clear over the last several years that password reuse is one of the most significant threats to average internet users,” Patrick Thomas, a security consultant at mobile and cloud security company Neohapsis, told SCMagazine.com in a Wednesday email.

Krebs said he heard from Andrew Bolton, managing director with Cupid Media, and Bolton told him that the number of impacted members who are active is less than 42 million. Bolton told Krebs that accounts had been compromised in a January breach, but Krebs said he could not find information on that incident.

“Organizations should secure the data itself through automated encryption, as well as control administrator access to systems containing sensitive data by implementing fine-grained access controls and role-based security,” Eric Chiu, president of cloud infrastructure control company HyTrust, told SCMagazine.com in a Wednesday email.

Krebs said Bolton told him that Cupid Media will be improving security and taking other measures to prevent a similar incident from occurring, including implementation of hashed and salted passwords.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Florida Supreme Court rules warrants a must for real-time cell location tracking

Florida Supreme Court rules warrants a must for ...

The Florida Supreme Court put the kibosh on warrantless real-time tracking using location data obtained from cell phone providers.

Modular malware for OS X includes backdoor, keylogger components

Modular malware for OS X includes backdoor, keylogger ...

The modular malware was named "Ventir," by researchers at Kaspersky.

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.