Over the weekend, the classified ad network FriendFinder (best known for its adult branch AdultFriendFinder) was hit by a cyber attack leading to the leak of an estimated 412 million email addresses and passwords. In this briefing we will take a look at the expected impact of the attack as well as common sense best practices that can be applied by individuals.
From the most traditional viewpoint, the hack is notable simply for its scope. While a large number of the 412 million credential sets are likely to be fake accounts used by spammers, several dozen million accounts are likely to be legitimate. An unspecified portion of the credentials is reported to contain plaintext passwords.
Considering how rampant password re-use is, we expect a sharp uptick of compromised secondary accounts and a brief but notable wave of related scams.
Perhaps the more important implication of the attack however is blackmail.
Early reports indicate that - similar to the Ashley Maddison hack of last year - large numbers of governmental and corporate email addresses are contained in the dataset. This makes individuals readily identifiable and opens them up for blackmail either by the original attackers or by 3rd parties.
The adult nature of the network means that while membership is perfectly legal in most parts of the world, individuals may wish to not be identified in fear of social, marital or career repercussions. The hack and subsequent leak of Ashley Maddison user accounts last year has been linked to several suicides.
The fact that the entire dataset has been published indicates that the attackers were either acting from an activist position or to inflict economic harm on FriendFinder. More sophisticated attackers would have kept the user-list private and then blackmailed users in high positions for maximum financial or political gain individually.
Users are strongly advised to never use governmental or corporate email accounts when signing up for services they would not like their employer to see. In general, throwaway single-use email accounts are recommended for any service that may be deemed to operate in a gray-zone of social acceptability. Passwords should also never be re-used between different services to prevent the hack of one service to lead to account hijackings on others.
Users of FriendFinder are advised to change their passwords as quickly as possible.