This Friday the news hit that 3.5 million personally identifiable records were leaked from systems belonging to the adult oriented website, AdultFriendFinder. The really interesting part wasn’t so much the tenting of fingers and overly ravenous bystanders but, more so the number of people cringing behind their monitors across the vast expanses of the Internet.
Adult Friend Finder is not a recipe swapping or knitting site by any stretch of the imagination. Rather than rehash what has already been said, I would ask you to read the excellent post by Steve Ragan.
Word of Adult Friend Finder's problems first surfaced last month. An IT consultant and Darknet researcher, who prefers to be known as Teksquisite, discovered the files on a forum in April. Salted Hash, looking to confirm her findings, discovered the same posts and files in short order.
The hacker claiming responsibility for the breach says they’re from Thailand, and started boasting about being out of reach of U.S. law enforcement because of location alone.
While the long arm of the law might not be a concern for the attackers who made off with the salacious information, others should have a concern. And who might those folks be? Well, I had the opportunity last night to dig through some postings on underground sites about the information from the data breach. I noticed a rather unfortunate trend.
If the information contained in the widely shared database breach is to be trusted at all, there are a lot of people who need to watch a talk by The Grugq on OPSEC. Many folks used throwaway email address on Hotmail, Gmail and Yahoo to register for their accounts on Adult Friend Finder. Good idea. I’m not one to throw stones. People like to get their freak on and that is their prerogative. Any faux statistician can tell you that 84% of people engage in some sort of sexual activity and the other 16% of people are lying about it.
The problem that came to light was that, buried in the data, people were using their work email address to register for Adult Friend Finder. It was noticed by some folks I spoke with who were familiar with the data, that there were email addresses for folks serving in the US Army, US Airforce, Australian military as well as members of the Colombian, Brazilian and the Canadian Forces. That was just based on a cursory search.
Further to that end, according to the leaked data, government related email addresses showed that staffers from around the world had registered with their work email. Rather amazing that people would do such a thing.
So, why is this a problem? Well, an enterprising sort could track a person back through some simple searches. In one scenario someone would be possibly able to find a military personnel’s home address, current station, and…the names of his wife and children just as an example scenario.
I’m not one to pass judgement. But, I will offer that if you’re going to sign up for a service like this that you make use of a throw away email and limit what information you do share. Otherwise you might get an email from someone demanding payment to not destroy your life or worse, ask you to divulge confidential information that could put other people in harms way.
(Image used under CC from Sergio Fabara)