Adult FriendFinder hacked
Almost 4 million users of the "dating, hookup and sex community" Adult FriendFinder have had their details leaked online including their sexual orientation and willingness to have affairsScreengrab

A treasure trove of deeply personal information about almost 4 million members of the online dating service Adult FriendFinder has been published on the dark web revealing intimate details including sexual orientation and the person's willingness to take part in extramarital affairs.

The trove of data was discovered during an investigation by Channel 4 News into the deep web -- that part of the internet which is not accessible by normal web browsers and not indexed by search engines such as Google.

The database of user information was published on a secretive forum by a user under the name ROR[RG] who may have been seeking to blackmail Adult FriendFinder for as much as $100,000 (£63,850) before posting the information online.

According to this post on TekSecurity website from April the hacker claimed Adult FriendFinder owed a friend of his $248,000 and published the stolen information in response. The hacker claimed he could not be touched by law enforcement because he was based in Thailand.

Dark web explained

The dark web is a section of the internet that is not indexed by search engines such as Google, and not easily navigated to using a standard web browser. Accessing the dark web requires specialised knowledge and software tools. An example of this is content only accessible by using the Tor software and anonymity network, which while protecting privacy, is often associated with illicit activities.

Blackmail

The information contained in the leak includes usernames, post codes, emails, dates of birth, and even the unique internet addresses of users. It also includes details of which forums most interest the users (subporno, BDSM) and could easily be used to carry out spear phishing attacks against users or potentially blackmail campaigns.

Ken Westin, a senior security analyst at Tripwire, highlighted the problems.

"The Internet has essentially become a database of You. As more data is breached, this information can be sold in underground markets and can create a very vivid profile of an individual," said Westin.

"When dating information is compromised it can be used to embarrass individuals, which can lead to blackmail as well as highly targeted phishing campaigns. An example would be a politician who may have created an account using a fake name, but used a known email address for their login details, or a phone number that can be mapped back to their real identity. This is an example of how data like this can lead to further blackmail and/or extortion by a malicious actor seeking to profit from this type of information."

Among the 3.9 million leaked records are 26,939 users with a UK email address according to Channel 4's investigations.

The investigation also shows that some users of the service which bills itself as "a thriving sex community" continued to hold details on users who had explicitly asked for their information to be deleted.

"The site seemed OK"

Shaun Harper, who was among those who had their details leaked, told Channel 4: "The site seemed OK, but when I got into it I realised it wasn't really for me, I was looking for something longer term. But by that time I'd already given my information. You couldn't get into the site without handing over information. I deleted my account, so I thought the information had gone. These sites are meant to be secure."

Adult FriendFinder has admitted the security breach adding that it has brought on board one of the most prominent security companies to help investigate how the breach took place.

"FriendFinder has only just been made aware of this potential issue and understands and fully appreciates the seriousness of the issue," the firm said in a statement to the BBC.

"We have already begun working closely with law enforcement and have launched a comprehensive investigation with the help of leading third-party forensics expert, Mandiant. Until the investigation is completed, it will be difficult to determine with certainty the full scope of the incident, but we will continue to work vigilantly to address this potential issue and will provide updates as we learn more from our investigation.

"We cannot speculate further about this issue but, rest assured, we pledge to take the appropriate steps needed to protect our customers if they are affected."

High-profile victims

Mandiant was called upon by Sony last year following the devastating cyberattack on Sony Pictures allegedly carried out by North Korean hackers in response to the release of the film The Interview which mocks Kim Jong-un.

Tim Erlin, from Tripwire warned that as investigations into this breach continue, we could see some high-profile victims unmasked: "Aside from the known value of compromised personal details on the dark web, there's certainly the potential for blackmail from this breach.

"If any high profile, public figures or politicians have been using Adult FriendFinder, they might consider how the details they entered there could be used against them. It's become a standard pattern to see these breach announcements with minimal details, followed by more information as investigators get involved. It's not unusual for the scope of a breach to expand as forensics experts are engaged and gain access to data."