Dear John, thoughts on the Cupid Media breach

There has been a veritable orgy of large data breaches over the last couple years. While a lot of folks have been aware of the major breaches that have come down the pipe, there is one that stands out as a "wait, what?" moment in time. That would belong to Cupid Media.

From Cupid Media:

Online safety We believe our customers deserve peace of mind. Cupid Media undertakes every possible method necessary to ensure a secure environment within which members can look for a potential partner. We use an advanced fraud prevention system and routine member checks to provide the highest level of internet protection possible on a dating service.

The irony is painfully thick in the case. I'm reminded of the Great and Powerful Oz sitting behind the curtain demanding the adventurers to obey. Instead what we find is that yes, that Oz was not all that he was chalked up to be. Rather, a fraud. In Cupid Media's case I'm seeing some frightening parallels.  

42 millions users of Cupid Media had their passwords exposed in a massive breach that appears to have not been previously disclosed. Nor does any mention of it appear on Cupid Media's site as of this writing. Apparently, my understanding of a "secure environment" is a flawed one based on the aforementioned passage. 

Sites get compromised all the time. I get that. There is no covering up the fact that it happens and will continue to happen as long as hands touch keyboards and software has defects. The law of the land. But, don't mislead your customers.

From AussieCupid, a Cupid Media property, this passage,

5.3 Security of informationUnfortunately, no data transmission over the internet can be guaranteed as being totally secure. Whilst we strive to protect such information, we do not warrant and cannot ensure the security of any information which you transmit to us. Accordingly, any information which you transmit to us is transmitted at your own risk. Nevertheless, once we receive your transmission, we will take reasonable steps to preserve the security of such information.

Define "reasonable".

In this case it appears that the company had not even taken basic steps to secure the data of their customers. Passwords for 42 million customers were apparently stored in plain text.

The passage on the Cupid Media property regarding "security of information" seemed oddly familiar. So, I pasted it into Google. What I received was 3,550 results. I cringe at the thought that those other sites might have a similar approach to data security.

From the article by Brian Krebs which broke the story this past Tuesday,

“In January we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts,” Bolton said. “We are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification.”

Krebs noted that there was no public record to be found for the stated breach which apparently took place in January 2013. I even checked on the Way Back Machine and nope, there was no posting on the Cupid Media site at the time.

Were you a customer of a Cupid Media property in January 2013? Did you receive an email from the company? If so, would you mind sending it to me? I would love to share it, with your name removed of course.

When it is your responsibility to secure your customers data, do it.

Don't pee on my leg and tell me that it's raining. 

Cybersecurity market research: Top 15 statistics for 2017