Online hookup website “Adult FriendFinder” might have been hacked—again. The alleged hacker boasted on Twitter posting two screenshots that appeared to show he had access to some portion of the website’s infrastructure.
Administrators for LeakedSource say what they’ve amassed so far from FriendFinder Networks Inc., easily surpasses 100 million records. IT security experts from Redscan, ESET and AlienVault commented below.
Leon Pinkney, SOC Services Director at Redscan:
“Despite the many unanswered questions surrounding the reported attack, businesses have an obligation to treat every threat seriously.
While it’s not currently known what data the attacker may or may not have retrieved, Adult FriendFinder needs to learn from public criticism of companies such as Yahoo and be proactive at alerting customers to a potential breach. Not waiting months, or even years, down the line.
File intrusion exploits are not new and occur because websites do not validate information entered by users performing actions such as site searches or completion of forms. If not monitored, these functions can be exploited to search a network for sensitive files or upload malware. Sanitizing input through white and black listing is one way that websites can protect themselves against this type of attack.
Gloating on social media might been seen as risky but sadly for the authorities, clever attackers will cover their tracks using VPNs and proxies, meaning even publicity craving hackers can be difficult to identify.”
Javvad Malik, Security Advocate at AlienVault:
“How do you prove a negative? This is the challenge faced by security departments around the world. If someone claims that they have breached your network, proving that they haven’t is near impossible.
Unfortunately what recent history has shown us is that many companies remain blissfully unaware of a breach until it is far, far too late. While we may not be able to fix the problem of having to prove a negative, having good, robust detection controls in place can at least alert when a potential breach does occur. So even if an attacker goes public with information, a response plan can be put in place in advance to minimise the fallout.”
Mark James, Security Specialist at ESET:
“With so much data surfacing from data breaches it’s a real possibility this new database exists, whether its actual data from a current hack or old data resurfacing from the 2015 breach, only time will tell. These days hacks are becoming all too common place, you could even argue that it’s not “if” but “when” you will be hacked, regardless of how much you invest in securing your users data there’s one thing that’s unacceptable and that’s being hacked twice in close succession, if this hack turns out to be legit then it’s clear that lessons may not have been learned.
Publically gloating on Twitter will certainly draw attention to the attacker; it may also enable authorities a base to start working from. Anonymity on the internet is not as easy as it sounds, staying hidden and anonymous may seem as simple as using an application or layering different programs but staying hidden is a lot harder than people think.
Of course the usual advice of changing any passwords that may be used on other sites that you used on this website applies. Also, be very aware of any scam or phishing attempts around this sensitive information that may have been leaked. Due to the nature of this data people may feel obliged to keep it quiet and may increase the success rate of their attacks. As for the company running these sites they have to ensure all software and applications are running the latest versions and fully patched, all too often these breaches happen because flaws or vulnerabilities exist that have already been patched.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.