Any data breach is a bad thing, as it could put your name, email address or other personally identifiable information in someone else's hands. The newly revealed data breach that affected Adult Friend Finder is arguably even worse. Three and a half million users of the risqué hookup service fell victim to a vengeful malefactor, who revealed a ton of sensitive data, up to and including users' marital status and sexual orientation.
The data was first reported last month by Oregon-based tech blogger Bev Robb, who blogs under the name Teksquisite, and independently discovered on hidden "dark web" sites and publicized yesterday (May 21) by Britain's Channel 4 News. The story goes that a Thailand-based hacker named ROR[RG] claimed Adult Friend Finder owed a friend of his almost $250,000 in unpaid fees. ROR[RG] leaked the data, then threatened to leak more unless Adult Friend Finder coughed up the money, as well as an additional $100,000.
In an email to CSO Online's Steve Ragan, Adult Friend Finder confirmed the breach and said it was working with Mandiant, a Virginia-based company that specializes in post-breach investigations and cleanups.
The story of a malcontent hacker out for money is nothing new, nor is a breach of user data from a high-profile dating site. What makes this incident interesting is the sheer breadth of information involved. Most data breaches can be mitigated by changing a password or canceling a credit card. But there's no way to change your sexual orientation (so far as we know) or undo the fact that you were seeking an extramarital affair. (Credit card numbers do not appear to be part of the current data dump, nor do account passwords.)
Adult Friend Finder is not a traditional online dating service; it's an entire community of people (mostly men) looking for casual, and often unorthodox, sex. Registered users list their sexual orientation and preferences, and even whether they're married and looking to cheat. This information is ripe for spammers, phishers and blackmailers — plenty of whom frequent the dark web.
People who've seen the Adult Friend Finder data said it didn't take too much effort to choose a username at random and track that person down on Facebook. If the person is a man happily married to a woman, but hunting down gay hookups on the side, a malefactor could easily take advantage of that hidden knowledge. Blackmailing might work, but so would sending a threatening e-mail with a link to phishing malware to steal his credit card.
Among the 3.5 million persons exposed, there are likely to be some high-profile individuals. Already, names of police officers and other public servants found in the database are being sent out on Twitter. Politicians, religious leaders, financiers and other powerful people could be in real trouble if their unusual sexual predilections were public knowledge, and might be willing to pay up to keep them private.
Since the information is located in the bowels of the dark web, it's probably not a great idea to go looking for it, even if you may have been affected by the breach. You can, however, check whether your information is out there at the useful and benign website Have I Been Pwned? If so, change the password on the account right away, and on any other accounts on which you used the same password — even though passwords were not among the stolen data.
Your best bet at this point would be to hope that you have nothing to hide — and if you do, take solace in the fact that with 3.5 million names to choose among, the odds are against you being singled out by criminals.
- Virtually Unknown: Inside the Dark Web
- 10 Worst Data Breaches of All Time
- Best Antivirus Software and Apps