The leaked personal data of more than 3.6 million users registered on dating site MobiFriends was made all the more vulnerable because the site used the notoriously weak MD5 hashing.

“It is always troubling to hear about passwords being stolen in a data breach, especially when the stolen passwords are hashed with MD5,which is infamous for no longer being cryptographically secure,” said ForgeRock Senior Vice President Ben Goodman. He pointed out that four of five global breaches stem from weak or stolen passwords with the problem exacerbated by users reusing username and password combinations.

In this case, the compromised user credentials could unlock nearly 10 million accounts due to rampant password reuse,” said Vinay Sridhara, CTO at Balbix , citing a recent company report that “found that the average password is reused 2.7 times, and the average user is sharing 8 passwords between work and personal accounts.”

The information posted online – including mobile numbers, usernames, birthdates and app activity – was nicked during a January 2019 breach. ”The leaked data sets are currently available in a non-restricted manner despite being originally offered for sale,”  according to researchers at Risk Based Security (RBS).

“The compromised data sets were originally posted for sale on a prominent deep web hacking forum on January 12th, 2020 by a threat actor named ‘DonJuji’ and attributed to a January 2019 breach event,” the researchers wrote in a blog post, noting another threat actor on the same forum shared the data “in a non-restricted manner” April 12 of this year.

Some of the information came from professional email accounts associated with American International Group (AIG), Experian, Walmart, Virgin Media and other Fortune 1000 companies.

“It appears that at least some MobiFriends employees used their work email addresses as well, so it’s entirely likely that full login credentials for employee accounts are amongst the nearly 4 million sets of compromised credentials,” said Sridhara. 

Fausto Oliveira, principal security architect at Acceptto, said that threat actors were able to access the data in the first place, and went undetected until the data appeared on the Internet, raises questions about how strong the security controls were that protected that data.”