Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adult Dating Site Hack Reveals Users' Sexual Preference, Extramarital Affairs

Posted by Soulskill on from the another-day,-another-breach dept.

An anonymous reader notes this report from Channel 4 News that Adult FriendFinder, one of the largest dating sites in the world, has suffered a database breach that revealed personal information for 3.9 million of its users. The leaked data includes email addresses, IP addresses, birth dates, postal codes, sexual preferences, and information indicating which of them are seeking extramarital affairs. There even seems to be data from accounts that were supposedly deleted. Channel 4 saw evidence that there were plans for a spam campaign against these users, and others are worried that a blackmail campaign will follow. "Where you've got names, dates of birth, ZIP codes, then that provides an opportunity to actually target specific individuals whether they be in government or healthcare for example, so you can profile that person and send more targeted blackmail-type emails," said cybercrime specialist Charlie McMurdy.

46 of 173 comments (clear)

  1. oh no by turkeydance · · Score: 5, Funny

    sorry, gotta go.

  2. Not really by Anonymous Coward · · Score: 5, Funny

    The leaked data includes email addresses, IP addresses, birth dates, postal codes, sexual preferences...

    Given that their list of choices for sexual preferences doesn't include tentacle-on-pregnant furry futanari, I think I'm pretty safe.

  3. How could you protect against this? by mwvdlee · · Score: 2

    You could encrypt all the data in the database, but that would only protect you from somebody able to access the database but not any of the decryption code (somewhat unlikely).

    Assuming full access to the database and code, is there any way to protect against being able to link identification with the rest of the personal information.

    I can only come up with the obvious client-side encryption, but will the network as a whole still be able to use the data as it's supposed to (in this case; find adult friends)?

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    1. Re:How could you protect against this? by 3.5+stripes · · Score: 3, Interesting

      Why do you assume the hackers got everything, instead of just pulling a little jimmy droptables, hell all they really needed to get that info is read only access and a select all statement..

      --


      He tried to kill me with a forklift!
    2. Re:How could you protect against this? by AmiMoJo · · Score: 2

      You could do things like splitting email addresses off into a different database on a different server and just keeping a hash in the main one, but it's only mm marginally better. Basically you can't be both secure and provide this kind of service.

      As well as the terrible male to female ratio (16:1) the other big issue here is that deleted accounts were not really deleted. The European Right to be Forgotten is designed to force companies operating in the EU to really delete accounts, and this illustrates why it is needed.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:How could you protect against this? by Anonymous+Brave+Guy · · Score: 2

      The European Right to be Forgotten is designed to force companies operating in the EU to really delete accounts, and this illustrates why it is needed.

      I think you're confusing two different things here. The "right to be forgotten", as much discussed recently with regard to Google and the like, is primarily about search engines digging up old information that would otherwise naturally fade into obscurity, and in particular the danger of finding old information that looks plausible but may in fact be misleading without context or now incorrect/outdated.

      Sadly, most of us even in Europe still have rather limited rights to compel businesses not to store personal data about us or to delete that data on demand, if the data is correct, they register the fact that they are doing it with the appropriate national privacy regulator, and they can come up with some vaguely plausible argument for why they want to have the data.

      I guess a few million people are about to find out the hard way why some of us have been arguing for a long time that we should have stronger privacy safeguards in the Internet/big data/data mining age. I wish they didn't have to find out this way, though.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    4. Re:How could you protect against this? by gbjbaanb · · Score: 3, Insightful

      How about:

      a) not putting any kind of direct DB access in your website, using a middle tier layer (webservice?) to act as the DB access
      b) not letting the middle tier server access the DB directly, instead having to go through stored procedures
      c) basically not letting anyone run "select * from users" at all.

      Security can be done, but as long as we have websites that think "webserver" means all the back-end processing has to be running in the web server whether its IIS or Apache, and frameworks that assume all development must be done in 1 web-server hosted language.... then we will continue to see security breaches like this.

      You want to secure your site, split the web handling/presentation from the data processing, and the processing from the data extraction. Then slap as much security on the interfaces between these layers. Do not trust the webserver one bit. Assume the webserver is already hacked. Hell, do not trust the middle tier either - allow it only the limited data it needs for each part of the processing.

      I've done the above, its not nearly as difficult as the webdevs will say.

    5. Re:How could you protect against this? by AmiMoJo · · Score: 2

      The search results thing is not the right to be forgotten. Some stupid journalists got confused and called it that, but that was actually just existing data protection rules dating back to the mid 90s.

      The right to be forgotten is still being looked at, but basically will allow EU citizens to require companies to delete data supplied by them (accounts, uploaded photos etc.) on request. The data must really be deleted, not just marked as dormant or whatever.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  4. NO! Not my IP address!!! by Anonymous Coward · · Score: 5, Funny

    After the last big hack I had to give up my old IP address, 192.168.0.1, which I had used for years. What a pain!

  5. Hopefully by Anonymous Coward · · Score: 5, Interesting

    Hopefully some of the users that will be approached will not be good candidates for blackmailing; because they already got out of the relationship they were trying to cheat on or have already come out of the closet with whatever sexual kink they have.

    Hopefully those users will contact police when they receive blackmail attempts and will aid in netting whoever is behind this

    1. Re:Hopefully by PPH · · Score: 2

      I get a kick out of how many people posting here assume that anyone using FriendFinder is a blackmail target due to this leaked information. There are singles who just might not care if others know they are out looking for f*buddies. And there are married people who might have open relationships.

      Some years ago, at an interview for a security clearance, these issues came up. "What would you do, Mr PPH, if someone threatened to publish pictures of you with some stripper?" Being single at the time I just said I'd order copies to be sent out as Christmas cards.

      Things have gotten quite a bit more sane since those days. The DoD is quite willing to work with people involved in alternative lifestyles from a security perspective. And many companies would just as likely remove an intolerant supervisor as an employee that didn't live up to some ideal of a Christian lifestyle.

      --
      Have gnu, will travel.
  6. Re:useful by Registered+Coward+v2 · · Score: 2

    Our government is out of control anyway, anything that allows blackmail, removal from office, misery in their lives. etc is a good thing

    While we're at it let's extend it to programmers, DBAs, sys admins an designers who cause us so much misery because they are too stupid or lazy to build secure systems.

    --
    I'm a consultant - I convert gibberish into cash-flow.
  7. Nuts and %$@) by tehlinux · · Score: 4, Funny

    Oh no, now everyone will know I'm a white male age 18 to 49!

    --
    Most linux users don't know this, but the man pages were named after Chuck Norris. Chuck Norris fsck'ing hates noobs!
    1. Re:Nuts and %$@) by Githyanki · · Score: 5, Funny

      You realize that putting quotes around it usually indicates that there is a nudge and wink going on at the same time. Reminds me of the joke: Guy sits and drinks at the bar till closing. Bartender tells him "Hey buddy, time to go, your the last one here." Guy pulls a gun on the bartender and forces him to give him a blow job. Partway through, the guy looses concentration and the gun slips down. Bartender picks it up and hands it back to the guy. "Dont want anyone to come in and catch me doing this and think I'm gay!!"

    2. Re:Nuts and %$@) by Anonymous Coward · · Score: 4, Informative

      You must be young. Asterisks around a word indicate emphasis (bold or italic text), not quotation marks.

    3. Re:Nuts and %$@) by Anonymous Coward · · Score: 3, Funny

      Or possibly too old to see that they were asterisks and not quotation marks.

    4. Re:Nuts and %$@) by OhSoLaMeow · · Score: 4, Funny

      That reminds me of a joke. Guy goes into a bar and orders a scotch. He downs that quickly and goes through three more in the same fashion. The bartender asks him if he's celebrating anything. The guy says "Yeah, just had my first blowjob." Bartender says "Congratulations! Here's another one, on the house." The guy says "No thanks. If four scotches won't get the taste out of my mouth, another one isn't going to help."

      --
      They can take my LifeAlert pendant when they pry it from my cold dead fingers.
  8. The data by Dynamoo · · Score: 5, Informative
    The data is a apparently a subset of 60 million records that the hackers are threatening to release.

    I've had a look at the data, there are very many easily identifiable people, for some of those there is date-of-birth data, ZIP code, "preferences", details of any money spent etc. There are a few people using their .gov email addresses for this, some of those can be verified by the IP address, some other email addresses belonging to other corporations. I would suspect that those are the people who are most at risk of blackmail. Remember too that an email addresses can be used to look people up on Facebook, which would make it easier for blackmailers to find potential victims.

    Not revealed in the breach (so far) are credit card data, real names (although many are obvious from the email addresses) or passwords. Although I notice that some people were smart enough to sign up with a throwaway email address, if they have actually paid for anything then they would have had to supply real contact details somewhere.

    The background story appears to be that a pissed-off affiliate who claims they were owed hundreds of thousands of dollars had a contact hack the database. It seems the hackers are demanding money else they will release the rest of the data.

    --
    Never email donotemail@WeAreSpammers.com
    1. Re:The data by QuasiSteve · · Score: 3, Informative

      While I agree with what you're trying to say here, I think GP actually meant that they could confirm that the IP address belongs to a range assigned to government institutions - i.e. it's not just people using their .gov e-mail address from home, but they're using it from what should be their public servant workplace - and not so much tying it to a specific individual.

  9. Re:useful by gstoddart · · Score: 5, Insightful

    And, of course, let's not stop there ... let's move to the managers, executives, and sales/marketing assholes who force this shit out the door.

    The poor bastard of a programmer who has been told by the VP or the CEO (or the sales wanker) that the product must ship now, or that security doesn't matter is not always the cause of this. Sometimes they're the ones saying "umm, guys, this could be a problem".

    So, if we're assigning blame, let's go with the people who are actually to blame and who make the decisions.

    In the military, "just following orders" may not be a defense. But in private industry it's often the management who create these problems.

    Which is precisely why I say that corporations should be held to a legal standard for the protection of personal information, and should carry penalties for failure to do so.

    As long as corporations just say "oh, bummer dude" and have no penalties, they'll continue to cut as many corners as possible. Because there simply is no consequence for them.

    I'm as concerned about the management people who don't give a damn. Because they're the ones who make policy and decide that not sucking at security is too costly.

    So, want a secure internet? Kick an MBA or a CEO in the nuts, and tell them you'll keep doing it until they insist on secure code.

    --
    Lost at C:>. Found at C.
  10. Re:useful by rubycodez · · Score: 3

    You're confused, no one cares what they do in their spare time. In fact, the ones I've worked with that use the services of whores like to talk about it.

  11. Re: Some visualization by Anonymous Coward · · Score: 2, Interesting

    Oh god yes this please. Fuck all the blackmail stories; there's a sociologic goldmine in this data. Dissertations will be written on this for years to come.

  12. OPSEC by lophophore · · Score: 4, Insightful

    my god, people, if you are going to use a site like that, don't use your real name, work email address, etc.

    consider that *everything* is going to get compromised -- if it is not already. use some common sense.

    --
    there are 3 kinds of people:
    * those who can count
    * those who can't
    1. Re:OPSEC by antiperimetaparalogo · · Score: 2

      use some common sense.

      there are 3 kinds of people:
      * those who can use some common sense
      * those who can't

      --
      Antisthenes: "Wisdom begins by examining the words/names." - excuse my English, i am (slightly...) better with my Greek!
  13. Re:Lol by ShanghaiBill · · Score: 4, Insightful

    If you're gonna cheat, why do it on the Internet? People who continue to trust the anonymity of the web boggle my mind.

    The physical world doesn't offer much anonymity either. At least the Internet offers more choices. Just don't use your real name, or primary email address, and you'll be fine.

  14. Re:Filter by Dynamoo · · Score: 2

    Actually, there are some clearly invalid or mis-typed email addresses in the list (e.g hotmial.com). So I am guessing that the addresses were not confirmed by the AFF system.

    --
    Never email donotemail@WeAreSpammers.com
  15. Oh, shit. by happily_married · · Score: 5, Funny

    This is horrible.

  16. Re: Some visualization by Dynamoo · · Score: 3, Informative

    It goes something like this:
    Male, male, male, male, male, male, male pretending to be female, male, male, OMG what's that.

    --
    Never email donotemail@WeAreSpammers.com
  17. Meh by Anonymous Coward · · Score: 5, Funny

    I think I had an account but like all adult sites I sign up for I used a throwaway email, lie about my age and location, and only show my dick and balls in photos.

    And no will recognize the dick and balls as I'm a virgin in my 30s.

  18. Re:Lol by gbjbaanb · · Score: 3, Funny

    exactly, I wonder who was dumb enough to create a profile saying "Dave Brown of 22 Acacia Avenue AB1 3CD, wants to meet nice ladyboy for extramartial affair"? It'll be "single male, BigBrownie, of 1 nowhere place, wants to meet nice ladyboy"

    And as for the spam emails, I have a couple I use for all kinds of dodgy sites (eg slashdot) and I get loads of spam anyway.

    Still... .9 million users... that's a lot of people! I wonder why these dating sites charge so much per month for membership when they could just charge $1 and rake in the cash. Stack 'em high 'cos extramarital affairs are never going to go out of fashion - the only problem is ending up meeting your blind date and finding it's your wife!!

  19. Re:This is why adultery is wrong by O('_')O_Bush · · Score: 4, Interesting

    Either that or be open about it. It is hard to blackmail someone over something that is public knowledge.

    --
    while(1) attack(People.Sandy);
  20. Look up your email address by OzPeter · · Score: 3, Interesting

    In the Ars story about this they pointed out a website that tracks beaches that I hadn't heard of before: ';--have i been pwned?

    I plugged my email addresses into this and found out that I had been a part of the Adobe breach fro October 2013. And I don't remember Adobe telling me about it

    --
    I am Slashdot. Are you Slashdot as well?
    1. Re:Look up your email address by tlambert · · Score: 2

      In the Ars story about this they pointed out a website that tracks beaches that I hadn't heard of before: ';--have i been pwned?

      Isn't that site just an alias for the "pleasepownmeheresmyemailaddress.com"?

  21. Re:This is why adultery is wrong by disposable60 · · Score: 4, Funny

    Exactly. Be French about it.

    --
    You're looking for quotes? See my journal.
  22. Re:useful by Krojack · · Score: 4, Insightful

    Joking aside, the managers, executives, and sales/marketing assholes should be strung up for telling people your data was deleted when in fact it wasn't.

  23. Re:Lol by ShanghaiBill · · Score: 4, Informative

    I wonder why these dating sites charge so much per month for membership when they could just charge $1 and rake in the cash.

    A higher fee is an effective filter. The "free" sites are garbage, with lots of phoney or dead profiles. I paid $99 for an annual membership to match.com, met several nice girls, married one of them, and I now have a wife, two kids and a dog. Compared to all the other expenses I have incurred, the $99 is negligible.

  24. Re:Delete YOUR email account... by DickBreath · · Score: 2, Funny

    Your never going too get you're weigh on this. Their are just two many people out they're using there words wrong too get to upset. Sew don't loose you're cool about it. You can sea mini common examples that exist of incorrect usage. People pick the write words two use according too there porpoises. But you'd have two be a fool to begin or end a sentence with the word "but". And only an idiot would begin or end a sentence with "and". And a preposition is a very bad word too end a sentence with.

    --

    I'll see your senator, and I'll raise you two judges.
  25. I can understand the wife and kids... by Anonymous Coward · · Score: 3, Funny

    I paid $99 for an annual membership to match.com, met several nice girls, married one of them, and I now have a wife, two kids and a dog.

    What kind of weird ass genetics do you have that you + wife = kid + kid + dog?!?!?

    1. Re:I can understand the wife and kids... by Anonymous Coward · · Score: 3, Insightful

      They're each half-dog with recessive genes, two human kids and one dog are the result.

  26. Re: Lol by dr_dank · · Score: 2

    That could happen if you both enjoy Piña Coladas and getting caught in the rain.

    --
    Where does the school board find them and why do they keep sending them to ME?
  27. Re:This is why adultery is wrong by PopeRatzo · · Score: 2

    This is why people with substantial power — such as, first of all, government officials — must not engage in adultery or anything similarly reprehensible even if it is not illegal for the rest of us. Not because of some wicked "puritanism", but because it opens them up to blackmail, that corrupts government thus affecting all of us.

    And if I do it, it opens me up to getting my throat slit in my sleep.

    --
    You are welcome on my lawn.
  28. Re:This is why adultery is wrong by GameboyRMH · · Score: 2

    Agreed. A while ago there was a big stink kicked up locally because a government official's mistress was about to fly in but his wife found out and was going to catch her, so he called the customs officials and had the mistress held at the airport and then deported to keep his affair under wraps (or at least keep the wife and mistress from meeting). The mistress had no idea why she was being held at the time. Officially it just looks like she was held and deported for no good reason at best - or profiling at worst.

    Of course in a small community, it's not in the news even though everybody knows it, on paper it's "see no evil, hear no evil, speak no evil."

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  29. I felt a tremor in the force by DoofusOfDeath · · Score: 4, Funny

    As though millions of divorce lawyers just orgasmed at once.

  30. Re:Lol by zlives · · Score: 5, Funny

    you forgot to add the recurring charges ;) in your equation

  31. My sexual preference by Snotnose · · Score: 3, Funny

    is "yes, please"

  32. Re:That raises the question by random+coward · · Score: 2

    Also implicit is that the only real sin is hypocrisy. Its okay to live an immoral lifestyle; but how dare you hold up morality and yet fall short. So its okay to be a Bill Clinton and dip into the intern pool, but don't be a Larry Craig and be for morality and tap your foot in the bathroom.