Online dating service Zoosk is urging some of its users to change their passwords following the leaking of a list of some 29 million passwords that seemingly contains theirs.
According to password expert Jeremi Gosney, who cracked over 90 percent of the leaked MD5 hashes (which were, unfortunately, not salted), nearly 3,000 contained the word “zoosk” in a variety of predictable combinations such as “logmein2zoosk” and “ilovezoosk”.
The set also includes a number of passwords containing word combinations such as “lookingforlove” and “lookingforsex,” which definitely points to the fact that the password must belong to users of a one or more online dating services (not necessarily Zoosk).
According to Ars Technica, the individual who posted links to the cracked passwords claims that the sets contain passwords from various sources, and the fact that they contain words like “yahoo”, “hotmail,” “linkedin” and similar supports the claim.
A Zoosk spokeswoman confirmed that they were asking a “small subset” of their users to reset their passwords, but said that their internal investigation so far revealed no evidence of their network having been compromised, and that they received no reports of user accounts being accessed by anyone other that the legitimate users.
She also added that the service no longer uses MD5 to encrypt user passwords. Instead, they have been employing the PBKDF2 key derivation function with the SHA-256 algorithm and salting, which makes the cracking of the password hashes considerably more time-consuming.