TrendMicro, a data security and cyber security solutions company, defines a data breach as “an incident wherein information is stolen or taken from a system without the knowledge or authorization of the system’s owner.” DigitalGuardian said, since 2005, over 4,500 data breaches have been made public and over 816 million individual records have been breached.
Online dating is one of the most common industries targeted by hackers. In fact, there have been five data breaches that have had a major impact on dating sites, online daters, and technology and security overall. Here are the stories as well as the aftereffects of each:
1. AdultFriendFinder 2016: 412 Million Accounts Are Exposed
The biggest dating site data breach in terms of the number of users who were affected was AdultFriendFinder.com in late 2016. LeakedSource was the first to report the story, and they said hackers went after FriendFinder Networks, the parent company of AFF, in October 2016.
More than 412 million (412,214,295 to be exact) FriendFinder user accounts were exposed, 340 million of them from AdultFriendFinder. The breach affected Cams.com (62 million accounts), Penthouse.com (7 million accounts), Stripshow.com (1.4 million accounts), iCams.com (1.1 million accounts), and an unknown domain (35,000 accounts). Note: FriendFinder used to own Penthouse.com but sold it in February 2016 to Global Media.
The breach included 20 years worth of customer data, including email addresses (among them personal, government, and military addresses) and passwords (e.g., 123456 and qwerty).
According to TechCrunch, the hackers supposedly got through a local file inclusion exploit, which gave them access to all of FriendFinder’s internal databases. Among the security vulnerabilities identified in the breach were that user passwords were stored in plaintext or “hashed” using the SHA1 algorithm, user logins for Penthouse.com were kept even after FriendFinder sold the site, and emails and passwords were kept from 15 million users who had deleted their accounts.
FriendFinder Vice President Diana Ballou released a statement that read:
“Over the past several weeks, FriendFinder has received a number of reports regarding potential security vulnerabilities from a variety of sources. Immediately upon learning this information, we took several steps to review the situation and bring in the right external partners to support our investigation. While a number of these claims proved to be false extortion attempts, we did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability. FriendFinder takes the security of its customer information seriously and will provide further updates as our investigation continues.”
The Aftermath: As you can probably imagine, with all of the horrible press and the somewhat lackluster response from the team, AdultFriendFinder lost a lot of users and respect. Even today people can’t talk about AdultFriendFinder without talking about this security breach, which is actually the site’s second (more on that below).
2. Ashley Madison 2015: 39 Million Members Affected, $11.2 Million Paid to Victims
It all began on July 12, 2015, when the parent company of Ashley Madison, Avid Life Media, got a message from a group called Team Impact that said if it didn’t shut down the site (as well as its sister site, Established Men), private company and user data would be leaked. A week later, Team Impact gave Avid Life Media 30 days to do so.
On July 20, Avid Life Media issued a statement that confirmed the breach and said they were joining forces with Ashley Madison team members, law enforcement, and Cycura, a cyber security service provider, to investigate the breach. Two days later, Team Impact released the names of two Ashley Madison users.
The deadline came, and Ashley Madison and Established Men were still live. So Team Impact leaked 10GB worth of user information, which included email addresses (some of them government and military). “We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data… too bad for ALM, you promised secrecy but didn’t deliver,” Team Impact said.
Over the next couple of months, Team Impact released more data, company emails, website source code, mailing addresses, IP addresses, user signup dates, and how much money users had spent on Ashley Madison. Among the 39 million users was Josh Duggar, of TLC’s “19 Kids and Counting,” who put in his profile that he was interested in “Sex Talk” and a “Bubble Bath for 2,” among other activities.
Hacking and security experts found that Ashley Madison didn’t verify emails when people signed up, didn’t have a comprehensive encryption system for user passwords, and hardcoded security credentials (like API secrets, authentication tokens, and SSL private keys) into the site’s source code. Not to mention users who paid to have their accounts deleted weren’t actually deleted and most of the female profiles on the site were fake.
The Aftermath: Ashley Madison was hit with a class action lawsuit, two users committed suicide, numerous users reported being blackmailed, CEO Noel Biderman resigned, and Avid Life Media (which rebranded to Ruby Life) paid $11.2 million to its data breach victims. Of course, not to be forgotten is the trust that people lost in the site.
3. AdultFriendFinder 2015: Personal Info of 3.5 Million Leaked
2016 wasn’t the first time AdultFriendFinder was hacked — it happened in May 2015, too. This time, Teksecurity was the first outlet with the news. Not only were email addresses and passwords leaked, but usernames, zip codes (or postcodes), IP addresses, birthdays, marital statuses, and sexual preferences were also exposed.
As soon as it was made aware of the breach, FriendFinder Networks said the team was investigating with law enforcement and Mandiant, a cyber forensics company owned by FireEye, which worked on other major breaches like Target, JP Morgan Chase, and Sony.
“We cannot speculate further about this issue, but, rest assured, we pledge to take the appropriate steps needed to protect our customers if they are affected,” FriendFinder told CNN.
According to CNN, other hackers commended ROR[RG], with one saying, “i am loading these up in the mailer now / i will send you some dough from what it makes / thank you!!”
Another, Andrew Auernheimer, looked through the data and started calling out AFF members with government, state, or military jobs — such as an employee with the Federal Aviation Administration and a state tax worker in California.
“I went straight for government employees because they seem the easiest to shame,” he said.
The Aftermath: The lives of 3.5 million people were drastically and irreparably changed because of AdultFriendFinder’s lack of security. Remember, it wasn’t just people’s basic private information that was shared — details about what they like to do in the bedroom and whether they were cheating on their spouses were also made public. However, this incident didn’t seem to hurt AdultFriendFinder too much because the site still had more than 340 million members just a year after this hack.
4. Guardian Soulmates 2017: 27 Users Report Receiving Explicit Emails
One of the smallest dating site data breaches was announced by Guardian Soulmates in May 2017. The site explained that 27 members contacted the team because they received explicit emails that showed their user IDs and email addresses were jeopardized. Their dates of birth and credit card information didn’t appear to have been exposed, though.
A spokesperson said, “Our ongoing investigations point to a human error by one of our third-party technology providers, which led to an exposure of an extract of data.”
The Aftermath: The impact the hack had on Guardian Soulmates wasn’t as bad as what we’ve seen from AdultFriendFinder or Ashley Madison. “We take matters of data security extremely seriously and have conducted thorough audits and are confident that no outside party breached any of these systems,” a company spokesperson said. “We have taken appropriate measures to ensure this does not happen again.”
5. Yahoo 2013-2014: 3 Billion User Accounts Impacted & $350 Million Lost in Verizon Communications Merger
We’re combining Yahoo’s two data breaches into one because they happened relatively close to each other. We’re also including these data breaches on our list, in general, because those affected could have also included members of Yahoo Personals, the company’s online dating service.
In 2013, there was a Yahoo security breach that affected 1 billion customers. In 2017, the company said it was actually 3 billion customers, not 1 billion — making this the largest security breach ever.
Email addresses, passwords, phone numbers, dates of birth, and security questions and answers were all jeopardized. Some good news out of all of this was that financial information (e.g., credit card numbers) wasn’t stolen.
Neither of these breaches were revealed until Sept. 2016. Yahoo explained that the team had investigated and thought they’d taken care of the problem, but a securities exchange filing in March 2017 shows they didn’t. In the words of CSO, “But even as the company took some remedial actions, such as notifying 26 users targeted in the hack and adding new security features, some senior executives allegedly failed to comprehend or investigate the incident further.”
The Aftermath: On Dec. 15, 2016, Yahoo’s stock fell 2.5% just a couple of hours after the 2013 breach was disclosed. This was three months after news of the 2014 breach broke. During that time as well, Verizon Communications was in the middle of $4.83 billion deal to buy Yahoo. Because of the breaches, the two companies decided to take $350 million off the price tag.
Has Online Dating Seen Its Last Data Breach? Probably Not
Dating sites are tempting targets for hackers, and it’s easy to see why. They store a lot of personal and financial information, and sometimes their technology isn’t that great. Hopefully, we can all learn something from the mistakes of the companies above. Lessons for the consumer include don’t use you work email to sign up for a dating site, and make your password as hard to decipher as can be. For the dating sites, you can never have too much security. As they say, it’s better to be safe than sorry!