OkCupid Users Victims of Credential Stuffing
OkCupid says there has been no data breach. Multiple users reported that their OkCupid accounts were hacked, but OkCupid denies there was a data breach, pointing to no increase in account takeovers and instead blaming credential stuffing attacks. The company suggested users can minimize their risk with stronger password hygiene.
According to Terry Ray, Imperva SVP and fellow, “I agree with all of the advice OkCupid offered. Users should have unique passwords for every website, or at the very least, have a unique password for every site you care anything about. Password managers are available – some for free and some for a fee, some for your computer, some for mobile and some for both – so there’s no real reason not to use one. Yes, it can be very annoying to not know your password and have to go look it up, but it’s more annoying to have your account hacked.”
He added, “This is really about cyber hygiene. If we could, wouldn’t it be easy to have just one physical key in our life, that would drive all your cars, open your home’s doors, get you into the office and where ever else you need to be? Probably doesn’t sound like a very secure idea, but would make for a smaller key ring. We don’t do this for physical security, yet almost everyone, even security professionals reuse some passwords. For those people, you should at least consider unique passwords for things that will make your life difficult when they get hacked. Notice I say when, not if.
Testing usernames and passwords from a list is an automated process. It’s cheap, fast and easy for attackers to execute. Two factor authentication helps for sure and I encourage its use, but not every website supports it yet. In the meantime, users need to do one of two things:
1) Change all of your passwords to something unique – and I don’t mean: Password1, Password2, Password3, etc. – something really unique. Use letters and numbers in nursery rhymes:“HDS4tOn4W@ll,” for Humpty Dumpty Sat On A Wall. Whatever works, put them in a password manager and move onto the next website. Turn on 2fA (Two Factor Authentication) Or
2) Prioritize your websites into important and unimportant. Do step one for all important websites and sacrifice the unimportant ones. Just never, ever use a password more than once for a website you consider important.
There are many factors in determining what characteristics make up an important website, but you can take some these and add your own:
- Contains obviously private data (phone, CC#, SSN, address, bank account)
- Contains your or your family and friends’ pictures
- Any work website
- Healthcare websites
- Insurance websites
- Social media websites (you don’t want someone posting things you wouldn’t say)
- Dating websites (you don’t want people misrepresenting you, as you)
- Airline, rental car, hotel and other points websites (no need to give free vacations to hackers)