An unidentified hacker has hit the adult hook up website Adult FriendFinder, exposing nearly 4 million users, one of the largest dump of personal data ever.
The leaked database contains 3,867,997 unique emails, which are tied to the user's sexual orientation, age, gender and race, according to security researcher Troy Hunt, who has examined the dump. In other words, the database is a treasure trove of intimate details about millions of people's sexual lives.
The hack was first reported on Thursday by Channel 4, a British TV station, but it appears to be the same breach that security researcher Bev Robb described in a post in April titled "Hacked! How Safe is your data on Adult Sites?"
In the post, Robb did not name the victim of the breach, simply saying it affected one of the largest adult sites on the internet. Robb said that a hacker going by the handle of "ROR[RG]" hit the site and posted the database on a darknet forum out of revenge. The hacker also bragged that he was out of reach for law enforcement because he lived in Thailand, according to Robb.
On Thursday, however, Robb confirmed that the site she described was Adult FriendFinder.
"I guess everyone knows Adult FF was hacked now :)," she wrote on a tweet on Thursday.
FriendFinder Networks, the company that owns Adult FriendFinder, appeared to admit the breach on a statement on its website, posted on Thursday. The company said it had been "just been made aware of a potential data security issue and understands and fully appreciates the seriousness of the issue."
The company added that they have started an investigation with the help of local and federal law enforcement and the security firm Mandiant, which is part of FireEye.
"Until the investigation is completed, it will be difficult to determine with certainty the full scope of the incident, but we will continue to work vigilantly to address this potential issue and will provide updates as we learn more from our investigation," the company wrote. "We cannot speculate further about this issue, but rest assured, we pledge to take the appropriate steps needed to protect our customers if they are affected."
Meanwhile, the database is out in the open, and it reveals highly sensitive and potentially damaging information. The hacker Andrew Aurenheimer, also known as Weev, for example, has taken to Twitter to name and shame public officials whose emails and personal details he found on the leaked database, such as a Washington police academy commander or an FAA employee.
Someone with malicious intent could obviously use all this personal data for extortion or blackmail, and even automate the process.
If criminals could identify users that have a partner or are married, "all they'd need to do is create an auto-mailer that sends out threats to each user that had a preference to cheat, and demanding payment in return for keeping quiet," Marcin Kleczynski, the CEO of Malwarebytes, said in an email to Motherboard.
If you were a user of Adult FriendFinder and are wondering if your email is in the dump, you can search for your email on Hunt's website "haveibeenpwned.com."