Millions of AdultFriendFinder members exposed after hack

AdultFriendFinderOh my goodness. AdultFriendFinder - what have you done to me?

In the course of writing this article I decided I should create an account on the site (using a throwaway email address, and bogus credentials, naturally). Now I feel like I need to bleach my eyeballs.

You might be wondering why I wanted to create an AdultFriendFinder account in the wee small hours of the morning?

Well, the truth of the matter is that members of AdultFriendFinder are screwed. But not necessarily in the way they might like.

I wanted to know what kind of warning AdultFriendFinder was giving its millions of members - following the breaking news that the site has been hacked, and that the email addresses, usernames, postcodes, dates of birth and IP addresses of 3.9 million members are being offered for sale online.

The UK's Channel 4 News broke the story, and raised the alarm for those people who are users of - shall we say - one of the seedier "dating" sites online. According to reports, even users who have asked the site to delete their accounts have had their details exposed.

Okay, lets bite the bullet. AdultFriendFinder isn't a dating site at all.

Just doing a search for AdultFriendFinder online will reveal the truth. It's for people who want to have sex with strangers.

Search for AdultFriendFinder

But even people who aren't particularly fussy about who they rub their genitals up against deserve to be warned if their details might have fallen into the hands of hackers, don't they?

Shouldn't there be a warning on the front page of the AdultFriendFinder website?

There isn't.

AdultFriendFinder website

How about on the AdultFriendFinder blog?

Nope, nothing out of the ordinary there either.

AdultFriendFinder blog

So that's why I thought maybe they only want to warn people who are actually members of the site. So I thought if I just created an account (again, let me stress, with bogus details and a temporary email address) then surely a message would pop up telling me about their embarrassing predicament.

But no.

AdultFriendFinder profile

All that happened was I was prompted to enter a realm of information about myself, my sexual preferences, my location and whether I would be prepared to relocate. Huh? What's that last one about?

Oh, and I also received some unsolicited messages from some randy housewives who were clearly turned on by me mentioning my hankering for a good game of chess.

FriendFinder Networks Inc, which owns Adult FriendFinder, offered a statement to Channel 4 News:

"FriendFinder Networks Inc understands and fully appreciates the seriousness of the issue. We have already begun working closely with law enforcement and have launched a comprehensive investigation with the help of leading third-party forensics expert. We pledge to take the appropriate steps needed to protect our customers if they are affected."

Appropriate steps to protect your customers, AdultFriendFinder? How about posting a warning on your website so your members can look out for phishing emails, or malware which might be sent to them? What about some advice about the type of threats that users could be exposed to - including, potentially, blackmail - if their membership of the site is uncovered?

If you're a member of AdultFriendFinder I hope you find the statement AdultFriendFinder offered the media reassuring, and that you'll sleep peacefully in your bed tonight rather than finding yourself all hot and bothered.

Stay safe out there.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

8 Responses

  1. Coyote

    May 22, 2015 at 2:57 am #

    BBC:
    "Until the investigation is completed, it will be difficult to determine with certainty the full scope of the incident, but we will continue to work vigilantly to address this potential issue and will provide updates as we learn more from our investigation.

    "We cannot speculate further about this issue, but rest assured, we pledge to take the appropriate steps needed to protect our customers if they are affected."

    Note the words 'this potential(1) issue' and 'protect our customers if(2) they are affected' … then note the irony of them making the claim they understand how serious this is. I'm sure that is comforting to those who are affected. Lovely customer care too. But then I've heard it is mostly a scam anyway and if you follow that idea maybe they believe the attack is also an exaggeration at best ? Whether the latter is true or not I do not know but they certainly aren't taking it as serious as they claim (and otherwise they're naively hopeful).

    • John doe in reply to Coyote.

      May 29, 2015 at 12:58 am #

      I was a member who's account has been hacked and I certainly don't feel reassured!!

      • Coyote in reply to John doe.

        June 1, 2015 at 4:38 am #

        A wise choice.

    • John doe in reply to Coyote.

      May 29, 2015 at 1:03 am #

      Now they have this posted:5/22/2015 Update

      As an update, as has been reported, FriendFinder Networks Inc. recently became aware of a potential data security incident. The security of our members’ information remains our top priority and, upon learning of this incident, we took immediate action including:

      Launching an internal investigation to review and expand existing security protocols and processes
      Taking steps to protect our members such as temporarily disabling the username search function and masking usernames of any users we believe were affected by the security issue.
      This means that our members will still be able to log-in using their username and password but the search function will be disabled in an effort to protect members privacy. We are also in the process of communicating directly to members on how to update their usernames and passwords
      Working closely with Mandiant, a leading third-party forensics expert, to investigate the incident, review network security and remediate our system
      Notifying law enforcement, including the FBI, and coordinating with their investigation into this attack
      It is important to note that, at this time, there is no evidence that any financial information or passwords were compromised.

      As is common with similar cyber-attack events, until the investigation is completed, it will be difficult to confirm the full scope of the incident, but we will continue to work vigilantly to address this potential issue and will provide updates on this site as we learn more from our investigation. Protecting our members’ information is our top priority and we will continue to take the appropriate steps needed to protect our members and their information.

      • Coyote in reply to John doe.

        June 1, 2015 at 4:41 am #

        Fair enough. But still they weren't acting as concerned as they were claiming. Perhaps some of that was ignorance, perhaps that was wishing it away. I don't really know which nor do I care.

        It's still good they updated the status of it and I acknowledge that they managed to do that, however late it was.

        Edit: although the fact they use ‘potential’ is still disconcerting. Potential indeed. They should just admit it and inform the others that they are still investigating to what extent. But it isn’t potential – it is reality.

  2. Anon

    May 22, 2015 at 5:53 pm #

    I'm a member of AFF, and yes, I did not join just to do security research! But I thought it was strange that I suddenly started getting spam and phishing emails on the email address I used to sign up. I use this email address for a few different sites, but it had been a while since I signed up for a new one, so I thought it was a bit strange. Could be related to the data breach I suppose.

  3. 6H7fbaj89dJ

    May 23, 2015 at 10:54 pm #

    Graham,

    I just checked the site. There is now a small banner at the top under the title bar that reads as follows:

    "For more information on the security incident please go to http[:]//ffn[.]com/security-updates"

    Might wanna update your story now.

    Also, for the record, I was there to sign up for security research reasons. M'kay?

    • Graham Cluley in reply to 6H7fbaj89dJ.

      May 23, 2015 at 11:09 pm #

      Thanks. I saw yesterday that they had also acknowledged the breach via their Twitter account.

Leave a Reply