FriendFinder was the victim of a cyber attack leading to a data leak, including usernames and passwords for 412 million accounts. The hack is one thing, but the blackmail! Oh, the blackmail.
First Published 16th November 2016 | Latest Refresh 13th September 2022
Stephen, 31, persists in finding love on the internet.
2 min read | Reflare Research Team
Meeting people is easy
Some time back, the classified ad network FriendFinder (best known for its adult branch AdultFriendFinder) was hit by a cyber attack leading to the leak of an estimated 412 million email addresses and passwords. In this briefing, we will look at the expected impact of the attack and common sense best practices that individuals can apply.
From the most traditional viewpoint, the hack is notable simply for its scope. While many of the 412 million credential sets are likely to be fake accounts used by spammers, several dozen million accounts are likely to be legitimate. An unspecified portion of the credentials is reported to contain plaintext passwords. Considering how rampant password reuse is, we expect a sharp uptick of compromised secondary accounts and a brief but notable wave of related scams.
Perhaps the more significant implication of the attack, however, is blackmail.
You have mail
Early reports indicate that - similar to the Ashley Maddison hack of some years ago - large numbers of governmental and corporate email addresses are contained in the dataset. This makes individuals readily identifiable and opens them up for blackmail either by the original attackers or by 3rd parties.
The adult nature of the network means that while membership is perfectly legal in most parts of the world, individuals may wish to not be identified for fear of social, marital or career repercussions. The hack and subsequent leak of Ashley Maddison's user accounts last year has been linked to several suicides.
The fact that the entire dataset has been published indicates that the attackers were either acting from an activist position or inflicting economic harm on FriendFinder. More sophisticated attackers would have kept the user-list private and blackmailed users in high positions for maximum financial or political gain.
Users are strongly advised never to use governmental or corporate email accounts when signing up for services they would not like their employer to see. In general, throwaway single-use email accounts are recommended for any service that may be deemed to operate in a grey zone of social acceptability. Passwords should also never be re-used between different services to prevent a hack of one service from leading to account hijackings on others.
The value of good hygiene
Users of FriendFinder are advised to change their passwords as quickly as possible.
Similarly, password managers have become less of an option and more of a requirement during the last five years. The average user has accounts on many dozen different websites. Most websites insist on making passwords complex rather than strong.
For example, fish-vampire-mountain-relief-agriculture-washington is significantly harder to guess than Passw0rd! but the latter will pass most "security" requirements while the former will not. It is unrealistic to expect humans to remember dozens of unique, fully random passwords. So most of the time, one "good" password gets re-used.
Of course, in current times, attackers very rarely try to crack passwords directly. Most of the time, passwords are simply re-used after they were leaked. The only solutions to this problem are passwordless authentication - which is outside users' control, two-factor authentication and managed entirely random passwords. Business leaders are now starting to have a conversation about protecting valuable customer data, asking "whose responsibility should it be to bump the security behaviour of our customers towards a more secure state of usage?".