Security Experts:

GitHub, Cupid Media Address Password Security After Breaches

Just like house keys, passwords can give thieves all they need to get their foot in the door.

Users of the online dating service Cupid Media and well-known source code repository GitHub recently have been advised to reset their passwords and double-check their security in light of attacks. In the case of Cupid Media, attackers swiped unencrypted passwords, usernames and birthdays and other information belonging to 42 million customers and sent them to the same remote server linked to millions of records stolen from Adobe Systems, PR Newswire and other entities.

According to security blogger Brian Krebs, Cupid Media stated that the records were from a breach that occurred in January 2013. After being contacted by Krebs, the company said Nov. 20 it is double-checking that "all affected accounts have had their passwords reset and have received an email notification." The company also told Krebs that in the aftermath of the breach, the company hired external consultants and began hashing and salting user passwords and making other security improvements.

GitHub meanwhile has already sent emails to affected users following an aggressive brute-force password guessing attack targeting victims with weak passwords. According to GitHub, passwords for the compromised accounts have been reset and personal access tokens, OAuth authorizations and SSH keys have been revoked. Users were also notified that they need to create a new, strong password and review their account for any suspicious activity.

"While we aggressively rate-limit login attempts and passwords are stored properly, this incident has involved the use of nearly [40,000] unique IP addresses," blogged GitHub security engineer Shawn Davenport. "These addresses were used to slowly brute force weak passwords or passwords used on multiple sites. We are working on additional rate-limiting measures to address this. In addition, you will no longer be able to login to GitHub.com with commonly-used weak passwords."

In both cases, the situation put a spotlight on weak passwords. Some of the most common passwords found among Cupid Media users were "123456" – used approximately 1.9 million times – and "111111", which was used roughly 1.2 million times.

"It has become exceedingly clear over the last several years that password reuse is one of the most significant threats to average internet users," said Patrick Thomas, security consultant at Neohapsis. "Using the same password on multiple sites risks exposing that password if any sites are breached; the excellent security of one site is entirely nullified if attackers can harvest the correct password from a breach of a less secure site. Most internet users will be far better off using random, unique passwords simply writing them down, or taking advantage of password vault programs that help generate and store passwords."

view counter