Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

GitHub, Cupid Media Address Password Security After Breaches

Just like house keys, passwords can give thieves all they need to get their foot in the door.

Just like house keys, passwords can give thieves all they need to get their foot in the door.

Users of the online dating service Cupid Media and well-known source code repository GitHub recently have been advised to reset their passwords and double-check their security in light of attacks. In the case of Cupid Media, attackers swiped unencrypted passwords, usernames and birthdays and other information belonging to 42 million customers and sent them to the same remote server linked to millions of records stolen from Adobe Systems, PR Newswire and other entities.

According to security blogger Brian Krebs, Cupid Media stated that the records were from a breach that occurred in January 2013. After being contacted by Krebs, the company said Nov. 20 it is double-checking that “all affected accounts have had their passwords reset and have received an email notification.” The company also told Krebs that in the aftermath of the breach, the company hired external consultants and began hashing and salting user passwords and making other security improvements.

GitHub meanwhile has already sent emails to affected users following an aggressive brute-force password guessing attack targeting victims with weak passwords. According to GitHub, passwords for the compromised accounts have been reset and personal access tokens, OAuth authorizations and SSH keys have been revoked. Users were also notified that they need to create a new, strong password and review their account for any suspicious activity.

“While we aggressively rate-limit login attempts and passwords are stored properly, this incident has involved the use of nearly [40,000] unique IP addresses,” blogged GitHub security engineer Shawn Davenport. “These addresses were used to slowly brute force weak passwords or passwords used on multiple sites. We are working on additional rate-limiting measures to address this. In addition, you will no longer be able to login to GitHub.com with commonly-used weak passwords.”

In both cases, the situation put a spotlight on weak passwords. Some of the most common passwords found among Cupid Media users were “123456” – used approximately 1.9 million times – and “111111”, which was used roughly 1.2 million times.

“It has become exceedingly clear over the last several years that password reuse is one of the most significant threats to average internet users,” said Patrick Thomas, security consultant at Neohapsis. “Using the same password on multiple sites risks exposing that password if any sites are breached; the excellent security of one site is entirely nullified if attackers can harvest the correct password from a breach of a less secure site. Most internet users will be far better off using random, unique passwords simply writing them down, or taking advantage of password vault programs that help generate and store passwords.”

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.