Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adult Dating Site Hack Reveals Users' Sexual Preference, Extramarital Affairs

Posted by Soulskill on from the another-day,-another-breach dept.

An anonymous reader notes this report from Channel 4 News that Adult FriendFinder, one of the largest dating sites in the world, has suffered a database breach that revealed personal information for 3.9 million of its users. The leaked data includes email addresses, IP addresses, birth dates, postal codes, sexual preferences, and information indicating which of them are seeking extramarital affairs. There even seems to be data from accounts that were supposedly deleted. Channel 4 saw evidence that there were plans for a spam campaign against these users, and others are worried that a blackmail campaign will follow. "Where you've got names, dates of birth, ZIP codes, then that provides an opportunity to actually target specific individuals whether they be in government or healthcare for example, so you can profile that person and send more targeted blackmail-type emails," said cybercrime specialist Charlie McMurdy.

31 of 173 comments (clear)

  1. oh no by turkeydance · · Score: 5, Funny

    sorry, gotta go.

  2. Not really by Anonymous Coward · · Score: 5, Funny

    The leaked data includes email addresses, IP addresses, birth dates, postal codes, sexual preferences...

    Given that their list of choices for sexual preferences doesn't include tentacle-on-pregnant furry futanari, I think I'm pretty safe.

  3. NO! Not my IP address!!! by Anonymous Coward · · Score: 5, Funny

    After the last big hack I had to give up my old IP address, 192.168.0.1, which I had used for years. What a pain!

  4. Hopefully by Anonymous Coward · · Score: 5, Interesting

    Hopefully some of the users that will be approached will not be good candidates for blackmailing; because they already got out of the relationship they were trying to cheat on or have already come out of the closet with whatever sexual kink they have.

    Hopefully those users will contact police when they receive blackmail attempts and will aid in netting whoever is behind this

  5. Re:How could you protect against this? by 3.5+stripes · · Score: 3, Interesting

    Why do you assume the hackers got everything, instead of just pulling a little jimmy droptables, hell all they really needed to get that info is read only access and a select all statement..

    --


    He tried to kill me with a forklift!
  6. Nuts and %$@) by tehlinux · · Score: 4, Funny

    Oh no, now everyone will know I'm a white male age 18 to 49!

    --
    Most linux users don't know this, but the man pages were named after Chuck Norris. Chuck Norris fsck'ing hates noobs!
    1. Re:Nuts and %$@) by Githyanki · · Score: 5, Funny

      You realize that putting quotes around it usually indicates that there is a nudge and wink going on at the same time. Reminds me of the joke: Guy sits and drinks at the bar till closing. Bartender tells him "Hey buddy, time to go, your the last one here." Guy pulls a gun on the bartender and forces him to give him a blow job. Partway through, the guy looses concentration and the gun slips down. Bartender picks it up and hands it back to the guy. "Dont want anyone to come in and catch me doing this and think I'm gay!!"

    2. Re:Nuts and %$@) by Anonymous Coward · · Score: 4, Informative

      You must be young. Asterisks around a word indicate emphasis (bold or italic text), not quotation marks.

    3. Re:Nuts and %$@) by Anonymous Coward · · Score: 3, Funny

      Or possibly too old to see that they were asterisks and not quotation marks.

    4. Re:Nuts and %$@) by OhSoLaMeow · · Score: 4, Funny

      That reminds me of a joke. Guy goes into a bar and orders a scotch. He downs that quickly and goes through three more in the same fashion. The bartender asks him if he's celebrating anything. The guy says "Yeah, just had my first blowjob." Bartender says "Congratulations! Here's another one, on the house." The guy says "No thanks. If four scotches won't get the taste out of my mouth, another one isn't going to help."

      --
      They can take my LifeAlert pendant when they pry it from my cold dead fingers.
  7. The data by Dynamoo · · Score: 5, Informative
    The data is a apparently a subset of 60 million records that the hackers are threatening to release.

    I've had a look at the data, there are very many easily identifiable people, for some of those there is date-of-birth data, ZIP code, "preferences", details of any money spent etc. There are a few people using their .gov email addresses for this, some of those can be verified by the IP address, some other email addresses belonging to other corporations. I would suspect that those are the people who are most at risk of blackmail. Remember too that an email addresses can be used to look people up on Facebook, which would make it easier for blackmailers to find potential victims.

    Not revealed in the breach (so far) are credit card data, real names (although many are obvious from the email addresses) or passwords. Although I notice that some people were smart enough to sign up with a throwaway email address, if they have actually paid for anything then they would have had to supply real contact details somewhere.

    The background story appears to be that a pissed-off affiliate who claims they were owed hundreds of thousands of dollars had a contact hack the database. It seems the hackers are demanding money else they will release the rest of the data.

    --
    Never email donotemail@WeAreSpammers.com
    1. Re:The data by QuasiSteve · · Score: 3, Informative

      While I agree with what you're trying to say here, I think GP actually meant that they could confirm that the IP address belongs to a range assigned to government institutions - i.e. it's not just people using their .gov e-mail address from home, but they're using it from what should be their public servant workplace - and not so much tying it to a specific individual.

  8. Re:useful by gstoddart · · Score: 5, Insightful

    And, of course, let's not stop there ... let's move to the managers, executives, and sales/marketing assholes who force this shit out the door.

    The poor bastard of a programmer who has been told by the VP or the CEO (or the sales wanker) that the product must ship now, or that security doesn't matter is not always the cause of this. Sometimes they're the ones saying "umm, guys, this could be a problem".

    So, if we're assigning blame, let's go with the people who are actually to blame and who make the decisions.

    In the military, "just following orders" may not be a defense. But in private industry it's often the management who create these problems.

    Which is precisely why I say that corporations should be held to a legal standard for the protection of personal information, and should carry penalties for failure to do so.

    As long as corporations just say "oh, bummer dude" and have no penalties, they'll continue to cut as many corners as possible. Because there simply is no consequence for them.

    I'm as concerned about the management people who don't give a damn. Because they're the ones who make policy and decide that not sucking at security is too costly.

    So, want a secure internet? Kick an MBA or a CEO in the nuts, and tell them you'll keep doing it until they insist on secure code.

    --
    Lost at C:>. Found at C.
  9. Re:useful by rubycodez · · Score: 3

    You're confused, no one cares what they do in their spare time. In fact, the ones I've worked with that use the services of whores like to talk about it.

  10. OPSEC by lophophore · · Score: 4, Insightful

    my god, people, if you are going to use a site like that, don't use your real name, work email address, etc.

    consider that *everything* is going to get compromised -- if it is not already. use some common sense.

    --
    there are 3 kinds of people:
    * those who can count
    * those who can't
  11. Re:Lol by ShanghaiBill · · Score: 4, Insightful

    If you're gonna cheat, why do it on the Internet? People who continue to trust the anonymity of the web boggle my mind.

    The physical world doesn't offer much anonymity either. At least the Internet offers more choices. Just don't use your real name, or primary email address, and you'll be fine.

  12. Oh, shit. by happily_married · · Score: 5, Funny

    This is horrible.

  13. Re: Some visualization by Dynamoo · · Score: 3, Informative

    It goes something like this:
    Male, male, male, male, male, male, male pretending to be female, male, male, OMG what's that.

    --
    Never email donotemail@WeAreSpammers.com
  14. Meh by Anonymous Coward · · Score: 5, Funny

    I think I had an account but like all adult sites I sign up for I used a throwaway email, lie about my age and location, and only show my dick and balls in photos.

    And no will recognize the dick and balls as I'm a virgin in my 30s.

  15. Re:Lol by gbjbaanb · · Score: 3, Funny

    exactly, I wonder who was dumb enough to create a profile saying "Dave Brown of 22 Acacia Avenue AB1 3CD, wants to meet nice ladyboy for extramartial affair"? It'll be "single male, BigBrownie, of 1 nowhere place, wants to meet nice ladyboy"

    And as for the spam emails, I have a couple I use for all kinds of dodgy sites (eg slashdot) and I get loads of spam anyway.

    Still... .9 million users... that's a lot of people! I wonder why these dating sites charge so much per month for membership when they could just charge $1 and rake in the cash. Stack 'em high 'cos extramarital affairs are never going to go out of fashion - the only problem is ending up meeting your blind date and finding it's your wife!!

  16. Re:How could you protect against this? by gbjbaanb · · Score: 3, Insightful

    How about:

    a) not putting any kind of direct DB access in your website, using a middle tier layer (webservice?) to act as the DB access
    b) not letting the middle tier server access the DB directly, instead having to go through stored procedures
    c) basically not letting anyone run "select * from users" at all.

    Security can be done, but as long as we have websites that think "webserver" means all the back-end processing has to be running in the web server whether its IIS or Apache, and frameworks that assume all development must be done in 1 web-server hosted language.... then we will continue to see security breaches like this.

    You want to secure your site, split the web handling/presentation from the data processing, and the processing from the data extraction. Then slap as much security on the interfaces between these layers. Do not trust the webserver one bit. Assume the webserver is already hacked. Hell, do not trust the middle tier either - allow it only the limited data it needs for each part of the processing.

    I've done the above, its not nearly as difficult as the webdevs will say.

  17. Re:This is why adultery is wrong by O('_')O_Bush · · Score: 4, Interesting

    Either that or be open about it. It is hard to blackmail someone over something that is public knowledge.

    --
    while(1) attack(People.Sandy);
  18. Look up your email address by OzPeter · · Score: 3, Interesting

    In the Ars story about this they pointed out a website that tracks beaches that I hadn't heard of before: ';--have i been pwned?

    I plugged my email addresses into this and found out that I had been a part of the Adobe breach fro October 2013. And I don't remember Adobe telling me about it

    --
    I am Slashdot. Are you Slashdot as well?
  19. Re:This is why adultery is wrong by disposable60 · · Score: 4, Funny

    Exactly. Be French about it.

    --
    You're looking for quotes? See my journal.
  20. Re:useful by Krojack · · Score: 4, Insightful

    Joking aside, the managers, executives, and sales/marketing assholes should be strung up for telling people your data was deleted when in fact it wasn't.

  21. Re:Lol by ShanghaiBill · · Score: 4, Informative

    I wonder why these dating sites charge so much per month for membership when they could just charge $1 and rake in the cash.

    A higher fee is an effective filter. The "free" sites are garbage, with lots of phoney or dead profiles. I paid $99 for an annual membership to match.com, met several nice girls, married one of them, and I now have a wife, two kids and a dog. Compared to all the other expenses I have incurred, the $99 is negligible.

  22. I can understand the wife and kids... by Anonymous Coward · · Score: 3, Funny

    I paid $99 for an annual membership to match.com, met several nice girls, married one of them, and I now have a wife, two kids and a dog.

    What kind of weird ass genetics do you have that you + wife = kid + kid + dog?!?!?

    1. Re:I can understand the wife and kids... by Anonymous Coward · · Score: 3, Insightful

      They're each half-dog with recessive genes, two human kids and one dog are the result.

  23. I felt a tremor in the force by DoofusOfDeath · · Score: 4, Funny

    As though millions of divorce lawyers just orgasmed at once.

  24. Re:Lol by zlives · · Score: 5, Funny

    you forgot to add the recurring charges ;) in your equation

  25. My sexual preference by Snotnose · · Score: 3, Funny

    is "yes, please"