The adult dating site Adult FriendFinder, which currently boasts more than 60 million users, recently acknowledged that a “potential data security incident” may have impacted user information.
In response, site owner FriendFinder Networks says it has notified law enforcement and the FBI, has hired Mandiant to “investigate the incident, review network security and remediate our system,” has launched an internal investigation to “review and expand existing security protocols and processes,” has temporarily disabled the ability to search by username, and has masked the usernames of “any users we believe were affected by the security issue.”
All potentially affected members are being advised to change their usernames and passwords.
“It is important to note that, at this time, there is no evidence that any financial information or passwords were compromised,” the company added.
Still, security researcher Troy Hunt, founder of HaveIBeenPwned.com, recently came across a dump of 3,867,997 records from the site, including user name, birthdate, email address, gender, location, IP address, race, relationship status, sexual orientation and language(s) spoken.
According to CSO Online, a Thai hacker using the name ROR[RG] has claimed responsibility for the breach, and has demanded a $100,000 ransom to prevent more leaks of data stolen from the site.
A separate CSO Online article notes that several members appear to have registered on Adult FriendFinder using their work email addresses, including email addresses for the U.S. Army, U.S. Air Force, Australian military, Brazilian military, Canadian military and Colombian military, as well as several international government addresses.
As Tripwire senior security analyst Ken Westin told eSecurity Planet by email, people who were more careful when registering with the site could also be at risk. “Depending on the type of information that is compromised this data can be used to link aliases to other accounts via email or other shared attribute and unveil connections to accounts that were not seen until now,” he said.
“An example would be a politician that may have created an account using a fake name, but used a known email address for their login details, or a phone number that can be mapped back to their real identity,” Westin added. “This is an example of how data like this can lead to further blackmail and/or extortion by a malicious actor seeking to profit from this type of information.”
As a result, Malwarebytes CEO Marcin Kleczynski said by email, this is potentially a breach on a whole new level. “While a breach at a financial or healthcare institution will leak data that can threaten your finances or identity, a breach like this can ruin you socially,” he said. “Information such as sexual preference and desire to cheat on your spouse only lives in systems like this. It’s rare to see this type of data make it out into the public.”
“It’s important to note that how the bad guys decide to use this data really shows how online threats have changed from just simple computer viruses that go after tech to one that is paired with psychological attacks against the human user, who in some cases can be considered both the strongest and weakest point of security,” Kleczynski added.