Adult Friend Finder breach exposes millions of users

A famous cartoon once said, "On the internet, no one knows you're a dog". But millions of users of online dating site Adult Friend Finder may discover that far more is known about them than they would care to admit.

Adult Friend Finder breach exposes millions of users
Adult Friend Finder breach exposes millions of users

Up to 3.5 million Adult Friend Finder.com (AFF) users will be getting to grips with the exposure of their private browsing habits from a data breach, which apparently resulted from a dispute between AFF's parent company and adisgruntled contractor.

Bev Robb, a malware and dark web researcher who writes on the TekSecurity blog, uncovered the leaked data on the darkweb this week, which she says was posted there by a hacker going by the handle of 'ROR[RG]'. 

The hacker posted 15 spreadsheets of information containing personal data stolen from the adult site's database, and his motivation was apparently revenge for money owed to “his guy” – approximately US$ 248,000 (GBP £163,000). Combined with a ransom demand for US$ 100,000 (GBP £66,000), this amounts to US$348,000 (GBP £229,000) in financial losses to the company.

However, the losses to users of the site are potentially far greater. The hacker claims to have details of over 3.5 million users ranging from email addresses and first names to last names, physical addresses, age, sex, birth date and sexual preferences.

Should a criminal get their hands on one of these email addresses, and combine it with leaked name and AFF registration details, they would be able to mastermind a convincing phishing attack or, with a little more research, instigate a blackmail campaign.

Channel 4 TV quotes a former user of Adult Friend Finder (AFF), Shaun Harper, who said he visited the site but quickly decided it wasn't for him. However, despite deleting his account, his details were included in the leaked data and he has received emails containing malware.

Security researcher Graham Cluley, writing about the breach, was critical of the site for not warning new or existing users of the potential for their data to be compromised. Far from it, they actively encouraged users to provide even more personal information.

SCMagazineUK.com managed to find an advisory notice, hidden away on the parent company's corporate site, ffn.com, which stated: “FriendFinder Networks Inc. has just been made aware of a potential data security issue and understands and fully appreciates the seriousness of the issue. We have already begun working closely with law enforcement and have launched a comprehensive investigation.”

It said it has hired FireEye's forensics arm, Mandiant, to investigate the breach.

“We cannot speculate further about this issue, but rest assured, we pledge to take the appropriate steps needed to protect our customers if they are affected,” the company added.

Tim Erlin, director of security and product management, Tripwire, commented: “It's become a standard pattern to see these breach announcements with minimal details, followed by more information as investigators get involved. It's not unusual for the scope of a breach to expand as forensics experts are engaged and gain access to data.”

His colleague, Ken Westin, senior security analyst, Tripwire, warned of the dangers of personal details being exposed on the web. “The Internet has essentially become a database of 'you'. As more data is breached, this information can be sold in underground markets and can create a very vivid profile of an individual,” he said.

According to Bev Robb, the information has been downloaded from the darknet forum where it was posted nearly 2,000 times, and there is potential for it to be re-posted to other forums where it will be downloaded even more times.

Westin said the potential to cross index the information and identify individuals was clearly a danger in terms of phishing and blackmail.

“Depending on the type of information that is compromised this data can be used to link aliases to other accounts via email or other shared attribute and unveil connections to accounts that were not seen until now,” Westin told SC. “An example would be a politician that may have created an account using a fake name, but used a known email address for their login details, or a phone number that can be mapped back to their real identity, this is an example of how data like this can lead to further blackmail and/or extortion by a malicious actor seeking to profit from this type of information.”

Rob Norris, director of enterprise and cyber security in the UK and Ireland, Fujitsu, said the breach underscores the need for better education and improved plans for dealing with the aftermath of breaches.

“Another day, another data breach – this time FriendFinder is in the spotlight. Although this hack is looking to be resolved quickly, it once again highlights that it is no longer about prevention, but instead about accepting a data breach will occur and moving to a proactive approach which allows better preparation for dealing with today's threats,” he said.

And he added: “In today's threat landscape, organisations can no longer afford to be complacent when it comes to training and should implement an effective security education programme to help combat today's cyber-hackers.”