Millions more adult and dating website accounts for sale on dark web

How much do you think your identity is worth?

What about your deepest, darkest secrets – like your sexual fantasies, or your desire to cheat on your spouse?

You might even be willing to pay a hefty ransom to protect your secrets from being exposed, but it turns out your sexual proclivities aren’t worth very much to a cybercriminal – a paltry eight thousandths of a cent, in fact.

That’s apparently the going rate on dark web cybercrime forums for account credentials stolen from adult dating and pornographic websites.

Last week a hacker on the dark web forum known as The Real Deal was offering a trove of 3.8 million email address and hashed password combinations stolen from the porn website Naughty America, for just 0.7048 bitcoins, or about $300.

Naughty America hasn’t said whether the dark web data batch is legitimate, but Forbes.com writer Thomas Fox-Brewster, who first reported the alleged breach, said he obtained a small number of account details and reached a handful of users who confirmed they had accounts on Naughty America websites.

As Forbes reported, the low price tag for the Naughty America data was probably due to the fact that the account passwords were protected with bcrypt, a strong cryptographic algorithm used for storing passwords so they’re time-consuming to crack, even if a crook steals the database and can attack it off-line.

Other adult and dating websites haven’t been careful in securing their users’ accounts, as evidenced by several recent data breaches.

Earlier this month, we reported that 237,000 user account details – including plaintext passwords – were swiped from the porn site TeamSkeet and put up for sale on a dark web forum for just $400.

And last month, it was revealed that the dating website Mate1 had suffered a huge data breach in February, with over 27 million user accounts, including plaintext passwords, stolen and offered for sale on the dark web forum known as Hell.

Troy Hunt, who runs a website called Have I Been Pwned that allows you to find out if your name or email address was exposed in a data breach, was adding the 27 million breached Mate1 accounts last week to his growing database.

Hunt tweeted that the Mate1 data breach included “deeply sensitive” information such as drug use, income levels and sexual fetishes.

What’s worse, Hunt said, is that a couple of months after the breach Mate1 is still storing passwords in plaintext.

What blows me away with Mate1 having plain text passwords, is nobody said "Hey, been a lot of breaches lately, we should check our things"

— Troy Hunt (@troyhunt) April 15, 2016

Another recent data breach exposed account details from a photo-swapping forum inspired by the “Fappening” celebrity hacks, with Hunt reporting that 179,000 accounts were exposed, although the passwords were hashed.

Those users shouldn’t get too comfortable though.

Even with a super-slow cracking speed forced on an attacker by a password storage algorithm like bcrypt, a poorly-chosen password is likely to be cracked, because password-guessing programs deliberately try the most obvious passwords at the start.

When 40 million Ashley Madison accounts were dumped on the dark web last July, it took crackers only 10 days to recover 11 million passwords stolen from the “infidelity” dating website.

Certainly it should be the responsibility of websites like Mate1, Naughty America or Ashley Madison to do all they can to secure account details.

But users of these sites might want to protect their own identities by using fake names and throw-away email addresses.

To paraphrase a wise man: If you wish another to keep your secret, first keep it to yourself.

Image of keys courtesy of Shutterstock.com.