A massive data breach of the adult dating and entertainment company Friend Finder Network has exposed more than 412 million accounts, including (and this is really bad) over 15 million "deleted" records that were not purged from the databases.
The exfiltrated records included 339 million accounts from AdultFriendFinder.com, which the company promotes as the "world's largest sex and swinger community."
But wait, there's more...
On top of the AdultFriendFinder records, 62M accounts from Cams.com, and 7M from Penthouse.com were stolen, as well as a few million from other smaller properties owned by the company. The data accounts for two decades' worth of data from the company's largest sites, according to breach notification LeakedSource, which obtained the data. ZDNet broke the news.
My take on this: "This is criminal negligence, as it's not the first time. This hack is very similar to the data breach they had last year. Their procedures and policies are severely lacking, even users who believed they deleted their accounts have been stolen again. AdultFriendFinder have failed to learn from their mistakes and now 412 million people are high-value targets for blackmail, phishing attacks and other cybercrime. This is ten times worse than the Ashley Madison hack. Wait for a raft of class-action lawsuits."
Cyber criminals are going to leverage this event in a lot of different ways: (spear-) phishing attacks, bogus websites where you can "check if your spouse is cheating on you", or ways to find out if your own extramarital affair has come out.
Any of these 339 million registered AdultFriendFinder users are now a target for a multitude of social engineering attacks. People that have (had) straight or gay extramarital affairs can be made to click on links in emails that threaten to out them.
There will be phishing emails that claim people can go to a website to find out if their private data has been released. This is a nightmare that will be exploited by spammers, phishers and blackmailers who are now gleefully rubbing their hands, let alone the divorce lawyers and private investigators that are going to pour over the data.
Here is one of the examples of Ashley Madison extortion that came out after that hack, and you can expect the bad guys to do the same thing with AdultFriendFinder:
Unfortunately, your data was leaked in the recent hacking of Ashley Madison and I now have your information.
If you would like to prevent me from finding and sharing this information with your significant other send exactly 1.0000001 Bitcoins (approx. value 625 USD) to the following address:
Sending the wrong amount means I won't know it's you who paid.
You have 7 days from receipt of this email to send the BTC [bitcoins]. If you need help locating a place to purchase BTC, you can start here.....