Contributed by: ElyseRomano Saturday, March 26 2016 @ 10:45 am
Just when you get comfortable with the Internet again, a new story about a hacking disaster makes headlines. This time, a hacker on a dark web forum called “Hell” claims to have sold the email addresses and plaintext passwords of over 27 million users of dating site Mate1.com.
Last year, Hell made headlines when a hacker posted the personal details and sexual preferences of almost 4 million users of the hookup site Adult Friend Finder. The data dump was discovered months after the hack actually happened, forcing Adult Friend Finder to fess up about the breach.
Motherboard[*1] obtained a small sample of the stolen email addresses and passwords. Out of 500 addresses, 498 were linked to accounts on Mate1.com. According to its website, Mate1 has over 36.5 million users.
“Their server was compromised and the MySQL database was dumped,” the anonymous hacker told Motherboard. “I had shell/command access to their server.” The hacker claims to have obtained 40 million accounts initially, then whittled that number down by weeding out the bot logins. “They all had a common password pattern,” they said.
The database of poached user info was offered for 20 bitcoin on Hell (around $8,700) although it’s not clear if that was the actual selling price.
How did it happen? Motherboard found that Mate1 was shockingly open to such an attack. A reporter for the site clicked “forgotten password” on the login page and was sent a full, plaintext password via email. Mate1 made no attempt to conceal the password in any way.
The threat here isn't just that users’ dating accounts may now be compromised. A second danger comes from the fact that victims may have used the same passwords across multiple websites, potentially leaving accounts on Gmail, Amazon - anything, really - now open to attack. Anyone who purchased the database could test their newly-acquired passwords on more valuable accounts, and given the high number of credentials the hacker claims to have obtained, there’s a real chance that a significant number will indeed compromise accounts on other websites.
The first step, if you have an account with Mate1.com, is to change your password there. You’ll also want to update any accounts that share the same password and check to make sure they haven’t been tampered with.
This hack won’t make news the way the Ashley Madison hack did (catch up here, here, and here if you missed that story), but it serves as yet another reminder that digital security is a subject to be taken seriously.
For more information on this dating service you can read our full review of Mate1.