14 DAY TRIAL // Personal information of about 3.9 million members of Adult Friend Finder online hookup service, is currently for sale for 70 bitcoins ($16,800 / €15,300) on an underground website.
The details about the subscribers are stored in 15 Excel spreadsheets, and contain email addresses, usernames, dates of birth, postal codes, sexual orientation, gender, and IP addresses, a treasure trove for spammers and phishing.
The website has been breached before April 13 and the database (possibly withholding some information) has been available on a forum hidden in TOR anonymity network, which is accessible through Tor web browser.
However, since Channel 4 broke the news on Thursday, the files started to be distributed via social media sites on the regular Internet.
Hacker offers service for breaching companies and sites
On Saturday, the hacker (using the alias ROR[RG]) that leaked the database offered the full content, unredacted, for 70 bitcoins.
ROR[RG], claiming to be from Thailand, also offered his hacking skills for rent, to anyone needing to break into “any company or site” in less than a week, for the amount of 750 bitcoins ($180,000 / €165,000).
FriendFinder Network, who owns the website, informs on Friday, in an update on the potential data security incident, that it has taken steps to protect its subscribers by disabling the username search and masking usernames of the individuals believed to be affected. Users can still log in with their credentials, though.
The company also announced that it started to communicate with the impacted subscribers, delivering instructions on how to change their username and password for accessing the service. No evidence has been found that financial details or passwords have been compromised.
On the other hand, it is possible that the hacker released the spreadsheets after taking out the payment info, seeking to monetize at a later time.
Users can check if their email has been compromised
“While in some ways, the breach of AdultFriendFinder is ‘just another breach,’ in another way it has a very unique characteristic: the potential for damage to the personal reputations of those whose membership in their database would mean the loss of family, position, and livelihood. It begs the question, ‘What’s being done to protect personal information?’ and presents the obvious answer, ‘Not enough,’”says Steve Hultquist, chief evangelist at RedSeal.
The database details have been added to Have I Been Pwned, a free service that collects email addresses from breaches, maintained by researcher Troy Hunt. Anyone can use the service to find out if their email address has been compromised.
Hunt analyzed the Adult Friend Finder dump and found it contained 3,867,997 unique email addresses.