Following reports of a massive breach impacting millions of members of adult dating website Adult FriendFinder, website owner FriendFinder Networks Inc. announced that it was aware of and investigating a potential data security issue.
FriendFinder Networks has begun working with law enforcement and Mandiant as part of the investigation, but the company had no further details to add as the investigation is ongoing, according to a brief notification posted to the website.
News of the breach first hit the mainstream following a Thursday report by U.K.'s Channel 4 News, which indicated that the personal information of 3.9 million Adult FriendFinder members was discovered on the so-called dark web.
Channel 4 News reported that a hacker known as ROR[RG] posted the data in an underground forum, and that the information also included users who deleted their accounts. The report noted how other hackers on the forum said they would use the data to target victims with spam emails.
Security researcher Troy Hunt tweeted on Friday that nearly four million records exposed in the incident are now searchable on the ‘Have I been pwned?' website, which he established as a free resource for anyone to assess if their personal information has been compromised in a data breach.
The Have I been pwned? website indicated that usernames, dates of birth, email addresses, genders, geographic locations, IP addresses, races, relationship statuses, sexual preferences, and spoken languages are among the information stolen in the Adult FriendFinder breach.
In a statement emailed to SCMagazine.com on Friday, Marcin Kleczynski, CEO of Malwarebytes, said that a breach such as this can ruin people socially, as opposed to healthcare and financial breaches that threaten identity or finances.
“If the attackers decided that they wanted to utilize the same methods of extortion as say, the FBI ransomware, all they'd need to do is create an auto-mailer that sends out threats to each user that had a preference to cheat, and demanding payment in return for keeping quiet,” Kleczynski said, adding that extra work would be required to identify the victim's partner and that the effort may not be worth the money earned.
Public figures that used Adult FriendFinder may have more to worry about, Ken Westin, senior security analyst with Tripwire, noted in a statement emailed to SCMagazine.com on Friday. Even if they used an alias, other information compromised in the breach could potentially be used to identify the individual – thus opening the door for a more profitable blackmail or extortion, Westin said.
According to reports, IT security consultant Bev Robb initially reported on the breach in April, but did not name the company.