Naked Security Naked Security

Adult FriendFinder hacked, users’ intimate details exposed on Dark Web

Adult FriendFinder, a website billed as a way for people to "find friends, sex, flings and hookups," has had a serious data breach. Now millions of people who thought they were using a discrete service to find casual sex have had their private information exposed online.

online-dating-550

Adult FriendFinder, a website billed as a way for people to “find friends, sex, flings and hookups,” has had a serious data breach.

Millions of people who thought they were using a discreet service to find casual sex have had their private data exposed online – including personal emails, sexual orientation and whether they were looking to cheat on their partners.

As the UK’s Channel 4 News reported yesterday, 3.9 million users of Adult FriendFinder had their information published on a hacker forum on the Dark Web – the shady, anonymous part of the Internet hidden by strong encryption that has become (amongst other things) a haven for cybercriminals.

Among the accounts exposed were email addresses for military service members and government workers, who could be targeted for blackmail, the news station reported.

FriendFinder Networks Inc. – the parent company of Adultfriendfinder.com – acknowledged a “potential data security issue,” and said it has hired a security consultant to investigate.

FriendFinder Networks said it would not speculate on the scope of the breach.

Until the investigation is completed, it will be difficult to determine with certainty the full scope of the incident, but we will continue to work vigilantly to address this potential issue and will provide updates as we learn more from our investigation.

The trove of data was published on a Dark Web forum by a hacker named ROR[RG], Channel 4 News reported.

The Channel 4 News story is corroborated by a blogger named Teksquisite, “a self-employed IT consultant,” who uncovered the same data cache last month and accused the hacker of attempting to extort money from Adult FriendFinder before leaking the stolen account data.

According to a blog post (Ed: we’d normally link to it but it wasn’t responding at the time we edited this article) published 13 April, ROR[RG] was demanding a $100,000 ransom for the data because the hacker was “pissed off” that the dating site owed “his buddy” approximately $248,000.

Although Teksquisite didn’t find any credit card data associated with the hacked accounts, she said, there is enough information out there to cause the exposed users considerable harm.

Teksquisite said many of the 15 spreadsheets in the data dump included only email addresses – but 400,000 of the accounts included details that could be used to identify users, such as their username, date of birth, gender, race, IP address, zip codes, and sexual orientation.

All told, it’s “more then enough data to enable a cybercriminal to conduct a massive phishing campaign,” Teksquisite said in the blog post.

“Within hours” of the data being posted, other hackers on the forum said they intended to hit the email addresses with spam, Channel 4 News reported.

One Adult FriendFinder user, a UK man named Shaun Harper, said he had already received phishing emails – a type of spam that mimics messages from legitimate sources like banks or dating websites to trick people into giving away their account logins.

Beyond phishing, there’s a real potential for the exposed users to be extorted for money, or doxed – where their information is exposed online for the purpose of intimidation or public shaming.

Teksquisite explained how she was able to locate some of the real people whose data was dumped on the hacker forum – with just a simple Google search on their online “handles” (usernames).

Some of those users were fond of doing things behind closed doors that they might not want their friends, families or employers to find out.

Harper said on Channel 4 News that he had deleted his account once he realized the site was for people interested in “one-night stands,” but even that didn’t keep his information safe. Harper said:

I deleted my account, so I thought the information had gone ... These sites are meant to be secure.

It’s an embarrassing situation for people like Harper, and a nightmare for FriendFinder Networks too.

The social networking company claims it has more than 600 million registered users on 40,000 websites in its network.

Dating websites are hugely popular but to be successful their users have to entrust them with some of their most sensitive information.

It seems that customers of Adult FriendFinder might have to kiss a few more frogs before they find a dating website that’s compatible with their privacy needs.

Image of online dating courtesy of Shutterstock.