Dating Website Breach Spills SecretsDarknet Dump Offers 3.9 Million Users' Personal Details
One of the world's largest dating websites, AdultFriendFinder.com, is warning current and former users that their personal information may have been compromised by hackers. Nearly 4 million people are reportedly affected by the data breach.
The site's parent company, Sunnyvale, Calif.-based FriendFinder Networks - which says its network encompasses more than 40,000 sites and includes more than 600 million users - has confirmed that it's investigating the breach report. It is working with law enforcement agencies and has brought in third-party digital forensics investigators from FireEye's Mandiant.
"FriendFinder Networks Inc. has just been made aware of a potential data security issue and understands and fully appreciates the seriousness of the issue," the company says in a May 21 statement. But to date, the company has declined to offer any further details, such as how many different users or regions might have been affected, and whether the breach extends beyond AdultFriendFinder - which claims to have 63 million users worldwide - or when the breach may have begun.
"Until the investigation is completed, it will be difficult to determine with certainty the full scope of the incident, but we will continue to work vigilantly to address this potential issue and will provide updates as we learn more from our investigation," FriendFinder Networks says. "We cannot speculate further about this issue, but rest assured, we pledge to take the appropriate steps needed to protect our customers if they are affected."
The apparent breach was first uncovered - and reported - by U.K. news agency Channel 4, which says it found 15 spreadsheets containing information on 3.9 million AdultFriendFinder users during an investigation into the types of information sold on underground, so-called darknet or "dark Web" sites, which typically refers to "Onion" sites that can only be reached by using the Tor anonymizing browser.
AdultFriendFinder bills itself as a "thriving sex community," and stores related types of personal data, Channel 4 reports. Information that it recovered - which had been posted on an underground forum by a hacker nicknamed "ROR[RG]" - reportedly includes details of whether users are gay or straight, whether they're seeking extramarital affairs, as well as their age, email addresses, usernames, mailing addresses, as well as their IP address.
Leaked Data Now Circulating
Security expert Troy Hunt, who maintains "Have I Been Pwned?" - a free website that alerts subscribers when their personal information appears in data dumps - reports that the information allegedly leaked from AdultFriendFinder is now in public circulation, and that it includes current and previous users' emails, sexual orientation, age, gender and race, among other information.
Found 3,867,997 unique emails in the Adult Friend Finder dump. Emails. Sexual orientation. Age. Gender. Race. *DELETED* accounts.— Troy Hunt (@troyhunt) May 22, 2015
Spam, Extortion Warnings
Security experts say some of the site's married users may find this information leak inconvenient - to say the least - and have warned all of the site's current and former users to beware of related spam campaigns and blackmail attempts. "I've always thought adult dating sites would be a perfect target for criminals to breach and use details for extortion," says information security consultant and Europol cybercrime adviser Brian Honan via Twitter.
"Divorce lawyers are celebrating this news," technology and public policy attorney Elizabeth Wharton, at Hall Booth Smith, says via Twitter.
Channel 4 reports that some of the leaked email addresses tie to U.K. government officials and armed services personnel.