HackDig : Dig high-quality web security articles for hacker

Adult Friend Finder leak – what can we learn?

2015-05-23 01:35

This week, a data dump of the Adult Friend Finder database was released. Personally identifiable information (PII) leaked includes user handle, name, age, gender, order information, profile type, and email addresses for as many as 3.8 million users. Additionally, it has been reported that the details of users who had requested account deletion were still included in the database.

 

too-many-friends-found.jpgAs database leaks become more common, users must become proactive in guarding personal information and compartmentalizing various aspects of their lives to minimize the impact a breach has on their personal and professional lives. Enterprises, meanwhile, need to take into consideration the effect that employees’ personal online activities may have on their security profile.

 

Potential repercussions

The Adult Friend Finder data dump highlights several areas of potential risk users face when signing up for any online service. The first area of risk is credential reuse. Many users are in the habit of registering for a variety of services using the same handle or email address. While this practice is not a risk in and of itself, users must realize that reuse of an online handle or email address gives both curious and malicious individuals a lead for finding his or her trail of online activities. Users with less security savvy also tend to reuse passwords across multiple sites. This is a dangerous practice, as one instance of a leaked password can result in the compromise of multiple accounts owned by that user. (Password data was not included in this particular data dump, but others have included it.)

 

The Adult Friend Finder dump exposed multiple users who signed up for the service with their corporate, military, or university emails. These included employees of the US military, major tech and financial institutions, a major airline industry entity, as well as multiple students and university staff. Reminiscent of the 2011-2012 Stratfor incident, this incident highlights a second area of risk: using one’s corporate or business email to register for a personal service. This practice is not recommended for the following reasons:

 

  • Many corporate email addresses include the user’s real name. A user registering for an otherwise anonymous service could expose his or her real identity by using a corporate email address.
  • If an individual uses both a corporate email address and a password he or she uses for corporate access when registering for a site, attackers can harvest those credentials and potentially gain access to corporate assets.
  • A malicious actor could use the information for extortion, particularly in the cases of federal and defense-sector employees.

A third risk is personal risk. A user must consider whether exposure of his or her personal, political, religious, ideological, or sexual preferences – or even simply exposure of that individual’s use of a service -- could result in negative repercussions on the personal level. Would this exposure affect their jobs, relationships, reputation, or well-being? Could a malicious actor leverage the information for blackmail? Would public release of the information result in personal embarrassment?

 

HPSR recommendations

Based on this breach and other recent events, it is clear that users must expect that a breach of their information will eventually occur. For this reason, they must take proactive measures to protect their identity. Individuals can use the following precautions to best protect their personal and professional well-being when registering for a website or service:

 

  • Use unique, secure passwords for each website or service.
  • Avoid mixing business with pleasure – never use your corporate or student email address to register for anything meant for personal use.
  • If you would be uncomfortable with a certain aspect of your life being made public, avoid using your real name, or a handle or email address easily associated with your person, when registering for the related site or service.

Companies can also take steps to minimize risk when employee credentials used to register for a personal site are leaked publicly:

 

  • Use a service, such as HP Threat Central, that monitors data dumps for corporate email addresses and notifies affected entities of leaked email addresses or credentials in real time. (One of the many benefits of automated information-sharing service of this sort is that it can indeed communicate such findings in a timely, trustworthy, and secure fashion.)
  • Disable the potentially compromised user accounts and ensure those credentials were not used by a malicious actor.
  • Educate employees on the risks of using their corporate email address to register for websites and services that are meant for personal use.

Read:4662 | Comments:0 | Tags:No Tag

“Adult Friend Finder leak – what can we learn?”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud