Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adult Dating Site Hack Reveals Users' Sexual Preference, Extramarital Affairs

Posted by Soulskill on from the another-day,-another-breach dept.

An anonymous reader notes this report from Channel 4 News that Adult FriendFinder, one of the largest dating sites in the world, has suffered a database breach that revealed personal information for 3.9 million of its users. The leaked data includes email addresses, IP addresses, birth dates, postal codes, sexual preferences, and information indicating which of them are seeking extramarital affairs. There even seems to be data from accounts that were supposedly deleted. Channel 4 saw evidence that there were plans for a spam campaign against these users, and others are worried that a blackmail campaign will follow. "Where you've got names, dates of birth, ZIP codes, then that provides an opportunity to actually target specific individuals whether they be in government or healthcare for example, so you can profile that person and send more targeted blackmail-type emails," said cybercrime specialist Charlie McMurdy.

6 of 173 comments (clear)

  1. Re:useful by gstoddart · · Score: 5, Insightful

    And, of course, let's not stop there ... let's move to the managers, executives, and sales/marketing assholes who force this shit out the door.

    The poor bastard of a programmer who has been told by the VP or the CEO (or the sales wanker) that the product must ship now, or that security doesn't matter is not always the cause of this. Sometimes they're the ones saying "umm, guys, this could be a problem".

    So, if we're assigning blame, let's go with the people who are actually to blame and who make the decisions.

    In the military, "just following orders" may not be a defense. But in private industry it's often the management who create these problems.

    Which is precisely why I say that corporations should be held to a legal standard for the protection of personal information, and should carry penalties for failure to do so.

    As long as corporations just say "oh, bummer dude" and have no penalties, they'll continue to cut as many corners as possible. Because there simply is no consequence for them.

    I'm as concerned about the management people who don't give a damn. Because they're the ones who make policy and decide that not sucking at security is too costly.

    So, want a secure internet? Kick an MBA or a CEO in the nuts, and tell them you'll keep doing it until they insist on secure code.

    --
    Lost at C:>. Found at C.
  2. OPSEC by lophophore · · Score: 4, Insightful

    my god, people, if you are going to use a site like that, don't use your real name, work email address, etc.

    consider that *everything* is going to get compromised -- if it is not already. use some common sense.

    --
    there are 3 kinds of people:
    * those who can count
    * those who can't
  3. Re:Lol by ShanghaiBill · · Score: 4, Insightful

    If you're gonna cheat, why do it on the Internet? People who continue to trust the anonymity of the web boggle my mind.

    The physical world doesn't offer much anonymity either. At least the Internet offers more choices. Just don't use your real name, or primary email address, and you'll be fine.

  4. Re:How could you protect against this? by gbjbaanb · · Score: 3, Insightful

    How about:

    a) not putting any kind of direct DB access in your website, using a middle tier layer (webservice?) to act as the DB access
    b) not letting the middle tier server access the DB directly, instead having to go through stored procedures
    c) basically not letting anyone run "select * from users" at all.

    Security can be done, but as long as we have websites that think "webserver" means all the back-end processing has to be running in the web server whether its IIS or Apache, and frameworks that assume all development must be done in 1 web-server hosted language.... then we will continue to see security breaches like this.

    You want to secure your site, split the web handling/presentation from the data processing, and the processing from the data extraction. Then slap as much security on the interfaces between these layers. Do not trust the webserver one bit. Assume the webserver is already hacked. Hell, do not trust the middle tier either - allow it only the limited data it needs for each part of the processing.

    I've done the above, its not nearly as difficult as the webdevs will say.

  5. Re:useful by Krojack · · Score: 4, Insightful

    Joking aside, the managers, executives, and sales/marketing assholes should be strung up for telling people your data was deleted when in fact it wasn't.

  6. Re:I can understand the wife and kids... by Anonymous Coward · · Score: 3, Insightful

    They're each half-dog with recessive genes, two human kids and one dog are the result.