Your end-users may have seen this in the news yesterday, or will read about it today.
A massive data breach of the adult dating and entertainment company Friend Finder Network has exposed more than 412 million accounts, including (and this is really bad) over 15 million "deleted" records that were not purged from the databases.
The exfiltrated records included 339 million accounts from AdultFriendFinder.com, which the company promotes as the "world's largest sex and swinger community."
But wait, there's more...
On top of the AdultFriendFinder records, 62M accounts from Cams.com, and 7M from Penthouse.com were stolen, as well as a few million from other smaller properties owned by the company. The data accounts for two decades' worth of data from the company's largest sites, according to breach notification LeakedSource, which obtained the data. ZDNet broke the news.
My take on this: "This is criminal negligence, as it's not the first time. This hack is very similar to the data breach they had last year. Their procedures and policies are severely lacking, even users who believed they deleted their accounts have been stolen again. AdultFriendFinder have failed to learn from their mistakes and now 412 million people are high-value targets for blackmail, phishing attacks and other cybercrime. This is ten times worse than the Ashley Madison hack. Wait for a raft of class-action lawsuits."
Cyber criminals are going to leverage this event in a lot of different ways: (spear-) phishing attacks, bogus websites where you can "check if your spouse is cheating on you", or ways to find out if your own extramarital affair has come out.
Any of these 339 million registered AdultFriendFinder users are now a target for a multitude of social engineering attacks. People that have (had) straight or gay extramarital affairs can be made to click on links in emails that threaten to out them.
There will be phishing emails that claim people can go to a website to find out if their private data has been released. This is a nightmare that will be exploited by spammers, phishers and blackmailers who are now gleefully rubbing their hands, let alone the divorce lawyers and private investigators that are going to pour over the data.
Here is one of the examples of Ashley Madison extortion that came out after that hack, and you can expect the bad guys to do the same thing with AdultFriendFinder:
Unfortunately, your data was leaked in the recent hacking of Ashley Madison and I now have your information.
If you would like to prevent me from finding and sharing this information with your significant other send exactly 1.0000001 Bitcoins (approx. value $625 USD) to the following address:
s4Ez [link added]
Sending the wrong amount means I won't know it's you who paid.
You have 7 days from receipt of this email to send the BTC [bitcoins]. If you
need help locating a place to purchase BTC, you can start here.....
What To Do About It
I suggest that you take immediate preventive action. It only takes one second for a worried end-user (or admin) to click on a link in an email and expose the network to attackers. I recommend you send something like this to your friends, family and end-users today. Feel free to copy/paste/edit.
"Over the weekend it became clear that 339 million names, addresses and phone numbers of registered users at the AdultFriendFinder site (which makes it easy to cheat on your spouse) were hacked. All these records are now owned by cybercriminals, exposing highly sensitive personal information.
These bad guys are going to exploit this in many ways, sending spam, phishing and possibly blackmail messages, using social engineering tactics to make people click on links or open infected attachments. Be on the lookout for threatening email messages which slip through spam filters that have anything to do with AdultFriendFinder, or that refer to cheating spouses and delete them immediately, both in the office or at the house."
Please forward this to friends, family, colleagues and peers.
As you can see, stepping your users through new-school security awareness training is an absolute must these days. For KnowBe4 customers, we have a new Current Events template that lures people into clicking on a link to a website to see if their spouse has not been faithful. The subject of the template is "Your spouse was found in the AdultFriendFinder list".
We strongly recommend you send this to your employees as soon as possible. Last year when we did the same thing with Ashley Madison, 4 percent of the people clicked on it.
If you have not done so already, find out how affordable Security Awareness Training is for your organization, and be pleasantly surprised. Get a quote:
Don't like to click on redirected links? Cut & Paste this link in your browser: