Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security The Internet

Adult Dating Site Hack Reveals Users' Sexual Preference, Extramarital Affairs 173

An anonymous reader notes this report from Channel 4 News that Adult FriendFinder, one of the largest dating sites in the world, has suffered a database breach that revealed personal information for 3.9 million of its users. The leaked data includes email addresses, IP addresses, birth dates, postal codes, sexual preferences, and information indicating which of them are seeking extramarital affairs. There even seems to be data from accounts that were supposedly deleted. Channel 4 saw evidence that there were plans for a spam campaign against these users, and others are worried that a blackmail campaign will follow. "Where you've got names, dates of birth, ZIP codes, then that provides an opportunity to actually target specific individuals whether they be in government or healthcare for example, so you can profile that person and send more targeted blackmail-type emails," said cybercrime specialist Charlie McMurdy.
This discussion has been archived. No new comments can be posted.

Adult Dating Site Hack Reveals Users' Sexual Preference, Extramarital Affairs

Comments Filter:
  • oh no (Score:5, Funny)

    by turkeydance ( 1266624 ) on Friday May 22, 2015 @10:06AM (#49751163)
    sorry, gotta go.
  • Not really (Score:5, Funny)

    by Anonymous Coward on Friday May 22, 2015 @10:09AM (#49751203)

    The leaked data includes email addresses, IP addresses, birth dates, postal codes, sexual preferences...

    Given that their list of choices for sexual preferences doesn't include tentacle-on-pregnant furry futanari, I think I'm pretty safe.

  • by mwvdlee ( 775178 ) on Friday May 22, 2015 @10:10AM (#49751221) Homepage

    You could encrypt all the data in the database, but that would only protect you from somebody able to access the database but not any of the decryption code (somewhat unlikely).

    Assuming full access to the database and code, is there any way to protect against being able to link identification with the rest of the personal information.

    I can only come up with the obvious client-side encryption, but will the network as a whole still be able to use the data as it's supposed to (in this case; find adult friends)?

    • by 3.5 stripes ( 578410 ) on Friday May 22, 2015 @10:19AM (#49751319)

      Why do you assume the hackers got everything, instead of just pulling a little jimmy droptables, hell all they really needed to get that info is read only access and a select all statement..

    • Re: (Score:1, Flamebait)

      by l0ungeb0y ( 442022 )
      How about securing your freaking server by locking down all ports and running only necessary services with access restrictions to allowed IPs? How about NOT using MySQL which is shit poor as far as security? How about not allowing direct DB over a Port and use an API over HTTPS instead? These are but a few obvious things that can be done to prevent someone from getting access to your DB's Data Files or accessing the DB itself.
      • by gbjbaanb ( 229885 ) on Friday May 22, 2015 @11:16AM (#49751933)

        How about:

        a) not putting any kind of direct DB access in your website, using a middle tier layer (webservice?) to act as the DB access
        b) not letting the middle tier server access the DB directly, instead having to go through stored procedures
        c) basically not letting anyone run "select * from users" at all.

        Security can be done, but as long as we have websites that think "webserver" means all the back-end processing has to be running in the web server whether its IIS or Apache, and frameworks that assume all development must be done in 1 web-server hosted language.... then we will continue to see security breaches like this.

        You want to secure your site, split the web handling/presentation from the data processing, and the processing from the data extraction. Then slap as much security on the interfaces between these layers. Do not trust the webserver one bit. Assume the webserver is already hacked. Hell, do not trust the middle tier either - allow it only the limited data it needs for each part of the processing.

        I've done the above, its not nearly as difficult as the webdevs will say.

        • by noxay ( 2614699 )
          Its not always the difficulty standing in the way, sometimes its the money. The set up you are talking about is significantly more costly than a shared host with attached database. Granted a site like "Adult Friend Finder" probably has the cash to cover this, but not all sites that deal with eCommerce or saving user data have the funds for this.
    • by AmiMoJo ( 196126 )

      You could do things like splitting email addresses off into a different database on a different server and just keeping a hash in the main one, but it's only mm marginally better. Basically you can't be both secure and provide this kind of service.

      As well as the terrible male to female ratio (16:1) the other big issue here is that deleted accounts were not really deleted. The European Right to be Forgotten is designed to force companies operating in the EU to really delete accounts, and this illustrates why

      • The European Right to be Forgotten is designed to force companies operating in the EU to really delete accounts, and this illustrates why it is needed.

        I think you're confusing two different things here. The "right to be forgotten", as much discussed recently with regard to Google and the like, is primarily about search engines digging up old information that would otherwise naturally fade into obscurity, and in particular the danger of finding old information that looks plausible but may in fact be misleading without context or now incorrect/outdated.

        Sadly, most of us even in Europe still have rather limited rights to compel businesses not to store person

        • by AmiMoJo ( 196126 )

          The search results thing is not the right to be forgotten. Some stupid journalists got confused and called it that, but that was actually just existing data protection rules dating back to the mid 90s.

          The right to be forgotten is still being looked at, but basically will allow EU citizens to require companies to delete data supplied by them (accounts, uploaded photos etc.) on request. The data must really be deleted, not just marked as dormant or whatever.

          • The search results thing is not the right to be forgotten. Some stupid journalists got confused and called it that

            Those "stupid journalists" appear to be in good company, starting with official press releases from both the European Commission and indeed the European Court of Justice itself about the 2010 Spanish newspaper case.

            I would be the first to agree that moves towards a more powerful right to be forgotten such as you describe would be a good idea, but as of today, these are mostly just proposals. For example, while there is already a right under some limited circumstances to request deletion of personal data, th

    • by Kjella ( 173770 )

      I can only come up with the obvious client-side encryption, but will the network as a whole still be able to use the data as it's supposed to (in this case; find adult friends)?

      This. It seems sexual preferences, age and location is rather essential for the service they provide and email, well how else are they going to notify you that someone has taken an interest in you or that you got a reply? You can't ask a doctor to not work with medical data, there's of course good and poor security but at the end of the day if there's a total system compromise you're screwed.

      How could you protect against this?

      Best practice seems to be as follows:
      1. Public facing server makes web service call to locked down proxy server.
      2. Pr

  • by Anonymous Coward on Friday May 22, 2015 @10:14AM (#49751259)

    After the last big hack I had to give up my old IP address, 192.168.0.1, which I had used for years. What a pain!

  • Hopefully (Score:5, Interesting)

    by Anonymous Coward on Friday May 22, 2015 @10:15AM (#49751271)

    Hopefully some of the users that will be approached will not be good candidates for blackmailing; because they already got out of the relationship they were trying to cheat on or have already come out of the closet with whatever sexual kink they have.

    Hopefully those users will contact police when they receive blackmail attempts and will aid in netting whoever is behind this

    • by PPH ( 736903 )

      I get a kick out of how many people posting here assume that anyone using FriendFinder is a blackmail target due to this leaked information. There are singles who just might not care if others know they are out looking for f*buddies. And there are married people who might have open relationships.

      Some years ago, at an interview for a security clearance, these issues came up. "What would you do, Mr PPH, if someone threatened to publish pictures of you with some stripper?" Being single at the time I just said

    • by AmiMoJo ( 196126 )

      Or maybe the police will use it to blackmail/persecute people they don't like: http://www.theguardian.com/com... [theguardian.com]

      I wouldn't trust the police to investigate any kind of sex related crime: http://www.bbc.com/news/uk-328... [bbc.com]

  • by tehlinux ( 896034 ) on Friday May 22, 2015 @10:20AM (#49751325)

    Oh no, now everyone will know I'm a white male age 18 to 49!

    • Dammit, *straight* white male.

      • by Githyanki ( 4092025 ) on Friday May 22, 2015 @10:31AM (#49751449)
        You realize that putting quotes around it usually indicates that there is a nudge and wink going on at the same time. Reminds me of the joke: Guy sits and drinks at the bar till closing. Bartender tells him "Hey buddy, time to go, your the last one here." Guy pulls a gun on the bartender and forces him to give him a blow job. Partway through, the guy looses concentration and the gun slips down. Bartender picks it up and hands it back to the guy. "Dont want anyone to come in and catch me doing this and think I'm gay!!"
        • Re:Nuts and %$@) (Score:4, Informative)

          by Anonymous Coward on Friday May 22, 2015 @10:41AM (#49751565)

          You must be young. Asterisks around a word indicate emphasis (bold or italic text), not quotation marks.

          • Re: (Score:3, Funny)

            by Anonymous Coward
            Or possibly too old to see that they were asterisks and not quotation marks.
            • Or not using a large enough font or large enough monitor. Or using a font where the asterisk glyph is visually similar to a quote glyph.
        • You realize that putting quotes around it usually indicates that there is a nudge and wink going on at the same time

          And you realize that *straight*, as written by the poster, would produce bolded text in many editors, right?

          So, maybe you're not as "clever" as you think?

        • by OhSoLaMeow ( 2536022 ) on Friday May 22, 2015 @01:02PM (#49753011)
          That reminds me of a joke. Guy goes into a bar and orders a scotch. He downs that quickly and goes through three more in the same fashion. The bartender asks him if he's celebrating anything. The guy says "Yeah, just had my first blowjob." Bartender says "Congratulations! Here's another one, on the house." The guy says "No thanks. If four scotches won't get the taste out of my mouth, another one isn't going to help."
  • The data (Score:5, Informative)

    by Dynamoo ( 527749 ) on Friday May 22, 2015 @10:20AM (#49751331) Homepage
    The data is a apparently a subset of 60 million records that the hackers are threatening to release.

    I've had a look at the data, there are very many easily identifiable people, for some of those there is date-of-birth data, ZIP code, "preferences", details of any money spent etc. There are a few people using their .gov email addresses for this, some of those can be verified by the IP address, some other email addresses belonging to other corporations. I would suspect that those are the people who are most at risk of blackmail. Remember too that an email addresses can be used to look people up on Facebook, which would make it easier for blackmailers to find potential victims.

    Not revealed in the breach (so far) are credit card data, real names (although many are obvious from the email addresses) or passwords. Although I notice that some people were smart enough to sign up with a throwaway email address, if they have actually paid for anything then they would have had to supply real contact details somewhere.

    The background story appears to be that a pissed-off affiliate who claims they were owed hundreds of thousands of dollars had a contact hack the database. It seems the hackers are demanding money else they will release the rest of the data.

    • some other email addresses belonging to other corporations. I would suspect that those are the people who are most at risk of blackmail

      Why even bother with blackmail, which could land you in your own legal hell?

      Instead of racistsgettingfired.tumblr.com, somebody could try setting up cheatersgettingfired.tumblr.com and get people fired for their infidelity (plans).

    • This is a disgrace. In America, only the NSA, other secret police type organizations, and J. Edgar Hoover are entitled to this data. I'll bet this is Snowden's fault. SCHULTZ!!!

    • > It seems the hackers are demanding money else they will release the rest of the data.

      Would the hackers instead release the data in exchange for money?
    • How does this work?
      Hackers claim they have a huge database of embarrassing information. How do they prove that they didn't simply invent the information?

      I have a "database" showing that Senator XYX has as thing for furries and garden implements. See - here I have a text file with Senator XYZ's name and a list of preferences......

      You could take any list of names and add arbitrary kinks, then threaten to release them. How do you show that this is the *real* database and not one you made up?

  • by Anonymous Coward

    Suddenly many ministers are all going to 3 week long camps to be cured.

  • by Anonymous Coward
    How did they ever filter out all the fake accounts? Hot horny locals, my ass.
    • by Dynamoo ( 527749 )
      Actually, there are some clearly invalid or mis-typed email addresses in the list (e.g hotmial.com). So I am guessing that the addresses were not confirmed by the AFF system.
      • I think I have found a e-mail address to use for disposable accounts. Now I wonder if there are lists of spammers e-mail that I can use for creating some perverse circular spam linkage.
    • by PPH ( 736903 )
      No problem [kinja-img.com]
  • by Anonymous Coward

    How about some neat diagrams visualizing these data? Like relations between age, gender, residence, preferences, etc...

  • You can't send SPAM to an email that doesn't exist. Close the email account associated with the compromised account. Problem solved.
  • Adult FriendFinder, one of the largest dating sites in the world

    Dating site of F^@( Buddy site.

  • I'm sure the information release was trivial and... oh my God. I didn't realize she still had those photos.
  • OPSEC (Score:5, Insightful)

    by lophophore ( 4087 ) on Friday May 22, 2015 @10:49AM (#49751661) Homepage

    my god, people, if you are going to use a site like that, don't use your real name, work email address, etc.

    consider that *everything* is going to get compromised -- if it is not already. use some common sense.

    • use some common sense.

      there are 3 kinds of people:
      * those who can use some common sense
      * those who can't

    • by tlhIngan ( 30335 )

      my god, people, if you are going to use a site like that, don't use your real name, work email address, etc.

      Well, you're making an assumption that people who use those sites are smart.

      I mean, I see ads for Ashley Madison, a site that gears itself for having affairs. Since they're TV ads, I can't imagine the people who log into it looking to have an affair are too bright to not use their real names or anything. Especially since the information contained on that site would be particularly interesting to a lo

    • my god, people, if you are going to use a site like that, don't use your real name, work email address

      Exactly, instead use your boss's. That was if nothing happens no harm done, and if something does happen a new promotion may be in your future.

  • Oh, shit. (Score:5, Funny)

    by happily_married ( 4123969 ) on Friday May 22, 2015 @10:56AM (#49751731)
    This is horrible.
  • Meh (Score:5, Funny)

    by Anonymous Coward on Friday May 22, 2015 @10:59AM (#49751763)

    I think I had an account but like all adult sites I sign up for I used a throwaway email, lie about my age and location, and only show my dick and balls in photos.

    And no will recognize the dick and balls as I'm a virgin in my 30s.

  • ...and information indicating which of them are seeking extramarital affairs

    Good. Fuck em. Let's see some good old fashioned public shaming. Cheating fucks.

  • by OzPeter ( 195038 ) on Friday May 22, 2015 @11:37AM (#49752113)

    In the Ars story about this they pointed out a website that tracks beaches that I hadn't heard of before: ';--have i been pwned? [haveibeenpwned.com]

    I plugged my email addresses into this and found out that I had been a part of the Adobe breach fro October 2013. And I don't remember Adobe telling me about it

  • by Anonymous Coward

    As the protection of our customers is our utmost concern and in abundance of caution we have temporarily disabled the username search function and have begun to mask usernames of any users we believe were affected by the security issue. Users will still be able to log-in using their username and password but the username search functionality will be disabled until further notice. We are also creating a streamlined and easy process for users to change their usernames and passwords that will be live this weekend.

    If you have any questions or concerns, please do not hesitate to contact customer service. For further information please visit http://www.ffn.com/security-up... [ffn.com]

    -------

    FriendFinder Networks Inc. has just been made aware of a potential data security issue and understands and fully appreciates the seriousness of the issue. We have already begun working closely with law enforcement and have launched a comprehensive investigation with the help of leading third-party forensics expert, Mandiant, a FireEye Company.

    Until the investigation is completed, it will be difficult to determine with certainty the full scope of the incident, but we will continue to work vigilantly to address this potential issue and will provide updates as we learn more from our investigation.

    We cannot speculate further about this issue, but rest assured, we pledge to take the appropriate steps needed to protect our customers if they are affected.

  • I made such an effort to conceal my sexual orientation!
  • What my parents told me growing up comes to mind:
    http://biblehub.com/numbers/32... [biblehub.com] - "...you may be sure that your sin will find you out."
    At least anyone with fear of finally being exposed as dishonest has a warning sign to make amends with their partner.
    No one can fault you for the truth, although there may be consequences for the truth.

  • by Anonymous Coward

    All along I just figured it was a scam harvesting money from lonely guys. People actually used it for dating??? There were actually women on it???

  • by DoofusOfDeath ( 636671 ) on Friday May 22, 2015 @01:11PM (#49753107)

    As though millions of divorce lawyers just orgasmed at once.

  • by Snotnose ( 212196 ) on Friday May 22, 2015 @01:18PM (#49753165)
    is "yes, please"

To stay youthful, stay useful.

Working...