California based AdultFriendFinder (AFF) is a ‘dating, hookup and sex community’ website designed to allow members to easily contact each other for real-life casual sex dates. It claims to have helped ‘helped millions of people find traditional partners, swinger groups, threesomes, and a variety of other alternative partners.’
When signing up for an account, its 64 million members had to enter their sexual preference details, including which gender they prefer, and which kind of sexual situations they are interested in finding. Users also had to provide details such as age, zip code, and whether they were looking for an extra-marital affair.
These are very intimate details, and could obviously be very damaging to the individuals involved. It must therefore be among many users’ worst nightmares come true to learn that a disgruntled hacker has obtained the details of some 3.8 million former subscribers, and is now offering them for sale on the internet.
This information includes things such as email addresses, birth dates, locations, and IP addresses of the users, and in some cases includes an entry showing which ads they responded to (e.g. ‘subbdsm’ or subsexowebcamporno.’) No credit card data appears to have been leaked however (although it was stolen, and has been stripped from the databases offered for sale).
The theft of the data (which is contained in 15 Microsoft Excel spreadsheets) was first reported by the UK’s Channel 4 TV station, which claims that,
‘The spreadsheets contain addresses linked to dozens of government and armed services personnel, including members of the British Army.’
According to ‘Andrew Auernheimer, a controversial computer hacker who looked through the files, US victims include ‘a Washington police academy commander, an FAA employee, a California state tax worker and a naval intelligence officer who supposedly tried to cheat on his wife.’
Interestingly, it seems that many of the details were obtained from supposedly deleted accounts (but which were clearly still stored by AFF.) As website member Shaun Harper told Channel 4,
‘The site seemed OK, but when I got into it I realised it wasn’t really for me, I was looking for something longer term. But by that time I’d already given my information. You couldn’t get into the site without handing over information…. I deleted my account, so I thought the information had gone. These sites are meant to be secure.’
The breach appears to be the same one reported by security researcher Bev Robb over a month (although Robb refrained from naming website involved as AdultFriendFinder), and which has only now received widespread public attention.
The hacker responsible for it goes by the moniker of ROR[RG],and was angry at AdultFriendFinder because he believed the website owed his friend $248,000 USD. He initially demanded a ransom of $100,000 USD (plus the $248,000 owed to his buddy) from AFF for the stolen information, and when this was not forthcoming offered to sell the spreadsheet files on a darknet forum for 70 Bitcoins (approx. $16,700 USA at time of writing).
Members of that forum appeared elated at the info-dump, with one member named ‘MAPS’ saying,
‘”i am loading these up in the mailer now / i will send you some dough from what it makes / thank you!!’
Security researcher Brian Kebbs described the breach as a ‘boon to extortionists’, and noted that,
‘AFF breach clearly threatens to inundate breached users with tons more spam, and potentially makes it easy to identify subscribers in real life. Such a connection could expose users to blackmail attempts: I spent roughly 10 minutes popping email addresses from the leaked AFF users list into Facebook, and managed to locate more than a dozen active Facebook accounts apparently tied to married men.’
This concern is a shared by ‘online crime experts’ who told Channel 4 that ‘after the initial spam email campaign, hackers will now begin trawling through the data for potential blackmail targets.’