A massive data breach of the adult dating and entertainment company Friend Finder Network has exposed more than 412 million accounts, including (and this is really bad) over 15 million “deleted” records that were not purged from the databases.
On top of the AdultFriendFinder records, 62M accounts from Cams, and 7M from Penthouse were stolen, as well as a few million from other smaller properties owned by the company. The data accounts for two okcupid or match decades’ worth of data from the company’s largest sites, according to breach notification LeakedSource, which obtained the data. ZDNet broke the news.
My take on this: “This is criminal negligence, as it’s not the first time. This hack is very similar to the data breach they had last year. Their procedures and policies are severely lacking, even users who believed they deleted their accounts have been stolen again. AdultFriendFinder have failed to learn from their mistakes and now 412 million people are high-value targets for blackmail, phishing attacks and other cybercrime. This is ten times worse than the Ashley Madison hack. Wait for a raft of class-action lawsuits.”
Cyber criminals are going to leverage this event in a lot of different ways: (spear-) phishing attacks, bogus websites where you can “check if your spouse is cheating on you”, or ways to find out if your own extramarital affair has come out.
There will be phishing emails that claim people can go to a website to find out if their private data has been released. This is a nightmers, phishers and blackmailers who are now gleefully rubbing their hands, let alone the divorce lawyers and private investigators that are going to pour over the data.
Here is one of the examples of Ashley Madison extortion that came out after that hack, and you can expect the bad guys to do the same thing with AdultFriendFinder:
If you would like to prevent me from finding and sharing this information with your significant other send exactly 1.0000001 Bitcoins (approx. value $625 USD) to the following address:
You have 7 days from receipt of this email to send the BTC [bitcoins]. If you need help locating a place to purchase BTC, you can start here.
The exfiltrated records included 339 million accounts from AdultFriendFinder, which the company promotes as the “world’s largest sex and swinger community
I suggest that you take immediate preventive action. It only takes one second for a worried end-user (or admin) to click on a link in an email and expose the network to attackers. I recommend you send something like this to your friends, family and end-users today. Feel free to copy/paste/edit.
“Over the weekend it became clear that 339 million names, addresses and phone numbers of registered users at the AdultFriendFinder site (which makes it easy to cheat on your spouse) were hacked. All these records are now owned by cybercriminals, exposing highly sensitive personal information.
These bad guys are going to exploit this in many ways, sending spam, phishing and possibly blackmail messages, using social engineering tactics to make people click on links or open infected attachments. Be on the lookout for threatening email messages which slip through spam filters that have anything to do with AdultFriendFinder, or that refer to cheating spouses and delete them immediately, both in the office or at the house.”
People that have (had) straight or gay extramarital affairs can be made to click on links in emails that threaten to out them
As you can see, stepping your users through new-school security awareness training is an absolute must these days. For KnowBe4 customers, we have a new Current Events template that lures people into clicking on a link to a website to see if their spouse has not been faithful. The subject of the template is “Your spouse was found in the AdultFriendFinder list”.
We strongly recommend you send this to your employees as soon as possible. Last year when we did the same thing with Ashley Madison, 4 percent of the people clicked on it.
If you have not done so already, find out how affordable Security Awareness Training is for your organization, and be pleasantly surprised. Get a quote: