The personal details of millions who signed up to a sex hook-up website in the past 20 years have been exposed in one of the largest ever data breaches.
The email addresses and passwords of 412 million accounts have been leaked after the meet-up website AdultFriendFinder and sister sites were hacked. At least 5.2 million UK email addresses were stolen in the breach, which also included the date of last visit, browser information, some purchasing patterns.
AdultFriendFinder describes itself as “one of the world’s largest sex hook-up” websites, with more than 40 million active users. The hack, against its parent company Friend Finder Networks, also involved data from Cams.com, a live video sex site, and Penthouse.com, an internet porn site that was sold in February.
The attack, occurred in October and is one of the biggest on record, following closely behind Yahoo, which recently reported the loss of half a billion users’ details. It eclipses last year’s Ashley Madison hack, in which the personal information and sexual preferences of 37 million people were exposed.
The passwords and usernames were stored in a way that is easily decoded, meaning 99 per cent of those stolen were legible to the hackers either in plain visible format or SHA1 hashed. Neither method is considered secure.
The stolen data included the details of 15 million accounts that had been deleted by the users but remained on the company’s servers.
Companies still tend to underestimate the risks related to web applications, and consequently put their customers at huge risk. With this breach of 400 million accounts expect a domino effect of smaller data breaches with password reuse and spear-phishing.
Don’t re-use passwords. One ultra-secure one won’t be any good if someone finds it
While combining upper and lower case passwords with numbers to alter a memorable word – M4raD0na – is often advised, these are more easily cracked than you might think
Good advice is to make a memorable, unusal sentence: “I am a 7-foot tall metal giant” is better than “My name is John”, and use the first letter of each word with punctuation: “Iaa7-ftmg”
The best way to protect yourself is to use two-factor authentication, which will send a text with a code or use an app to verify your log-in.
The aim of spear phishing is to trick people into handing over sensitive information, such as card or login details, with an email that appears to be from a person or business they know and trust.
It is more targeted than phishing, which is when emails are sent out that contain either links or attachments that either take you to a website that looks like your bank’s, or installs malware on your system.
A report by Verizon into data breach investigations has shown that 23% of people admit to having opened phishing emails.
Many phishing attacks come from East Europe so be very suspicious is you see RTU in the email address domain.
The bank or will never phone you for your PIN or password.
They don’t send you mails form a hotmail account.
No company will send someone to your home to collect financial information or your bank card. Neither will they ask you transfer money to a new account – even if only for fraud reasons
No business or individual needs to know your personal financial information – including the bank or the police. Do not disclose your PIN, password or personal details unless you are sure of who you are talking to
Do not assume a caller is genuine if they know personal details about you. This could have been garnered elsewhere or pieced together through other means or email and may be trying to gather more information such as answers to security questions.
When you receive an email asking you to check your account manually type the company’s website into your browser rather than clic on a link that could take you to a fake version of the site
