Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

GitHub, Cupid Media Address Password Security After Breaches

Just like house keys, passwords can give thieves all they need to get their foot in the door.

Just like house keys, passwords can give thieves all they need to get their foot in the door.

Users of the online dating service Cupid Media and well-known source code repository GitHub recently have been advised to reset their passwords and double-check their security in light of attacks. In the case of Cupid Media, attackers swiped unencrypted passwords, usernames and birthdays and other information belonging to 42 million customers and sent them to the same remote server linked to millions of records stolen from Adobe Systems, PR Newswire and other entities.

According to security blogger Brian Krebs, Cupid Media stated that the records were from a breach that occurred in January 2013. After being contacted by Krebs, the company said Nov. 20 it is double-checking that “all affected accounts have had their passwords reset and have received an email notification.” The company also told Krebs that in the aftermath of the breach, the company hired external consultants and began hashing and salting user passwords and making other security improvements.

Advertisement. Scroll to continue reading.

GitHub meanwhile has already sent emails to affected users following an aggressive brute-force password guessing attack targeting victims with weak passwords. According to GitHub, passwords for the compromised accounts have been reset and personal access tokens, OAuth authorizations and SSH keys have been revoked. Users were also notified that they need to create a new, strong password and review their account for any suspicious activity.

“While we aggressively rate-limit login attempts and passwords are stored properly, this incident has involved the use of nearly [40,000] unique IP addresses,” blogged GitHub security engineer Shawn Davenport. “These addresses were used to slowly brute force weak passwords or passwords used on multiple sites. We are working on additional rate-limiting measures to address this. In addition, you will no longer be able to login to GitHub.com with commonly-used weak passwords.”

In both cases, the situation put a spotlight on weak passwords. Some of the most common passwords found among Cupid Media users were “123456” – used approximately 1.9 million times – and “111111”, which was used roughly 1.2 million times.

“It has become exceedingly clear over the last several years that password reuse is one of the most significant threats to average internet users,” said Patrick Thomas, security consultant at Neohapsis. “Using the same password on multiple sites risks exposing that password if any sites are breached; the excellent security of one site is entirely nullified if attackers can harvest the correct password from a breach of a less secure site. Most internet users will be far better off using random, unique passwords simply writing them down, or taking advantage of password vault programs that help generate and store passwords.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Jazz has named Sean Robinson, Rickie Goyal, Danielle Guetta, Shani Nago, and Lior Magram as VPs and Michael Calev as COO.

AJ Shipley has been appointed Chief Product Officer at CrowdStrike.

Brinqa has named Ron Dovich as Chief AI and Automation Officer, David Allen as CTO, Steve Biagioni as CFO, and James Walta as VP of Product.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.