The recent attacks on Ashley Madison are not the first security breach of an adult social network or dating website. Scores of other such sites, including extramarital affair platform Gleeden, have had their user data accessed and sold on the dark web.
Over the past 20 years we have moved a very significant part of our identity online. Our professional records, academic achievements, social standings and circle of friends can all be found in various social media networks. Our interpersonal communications and thoughts are within our emails and text messages.
In addition to the intrigue and graphic appeal of dating websites, they all offer secrecy, privacy and confidentiality. Trusting a specific site is not based on facts, but rather on statements from the website itself. Unfortunately for many love and lust seekers, hackers are naturally attracted to dating websites for a variety of reasons and they do not stop to read about the security and privacy of a site – they just try to exploit it.
Why are dating sites such a big target? Firstly, dating site users are primary targets for many typical types of spam, whether it is weight loss, libido boosters or pornography. They host user information to give spammers a better chance of finding their targets, as they store attributes like gender, age and body shape. Spammers customise campaigns based on perceived needs and demographics data helps them target specific users. Other ways to profit include romance scams, impersonations and blackmail.
After monitoring dating sites for vulnerabilities and breaches for well over a decade, it does not come as a surprise that one of the more salacious sites like Ashley Madison gets compromised. In the wake of the Sony breach and Snowden disclosures, public shaming of organisations is a proven and effective way to raise awareness of the perceived issues through stolen data disclosures and blackmail.
Back in 2009, working with then Washington Post reporter Brian Krebs, I detected a vulnerability in another popular adult dating site – Seeking Arrangements. The vulnerability allowed attackers to bypass all authentication needed to access private profiles, messages and other supposedly secure information. Although the site owner gave assurances that the issue was fixed, the site remained vulnerable for another year and a half, despite my attempts to contact them.
Gleeden, a similar dating site for extramarital affairs, was breached last year and had 1.8m user records stolen. We contacted the site owners to explain the nature of the breach and had data samples that were shared by hackers. To the best of my knowledge, the real victims of this breach, the end-users, were never alerted. A similar story was seen with another risqué social media site, Humaniplex. This breach was a case where unencrypted credentials were stolen and trafficked on the black market.
The ugly truth about dating sites is that many of them get breached. Millions of users' records, conversations, private thoughts, desires and wishes go from mildly protected websites right into the hackers' archives. Luckily, most of the data has never been used against the various sites' customers for blackmail – until now.
Most dating sites were already breached
I first spoke about the idea of a "social ripple" in 2007, after identifying a number of security flaws within one of the biggest dating web sites. What would happen if people's dating messages become public? How many lives would it ruin? How would our society react? Would it impact on divorce rates? Would it embarrass a number of prominent individuals? Would it sway focus in the workplace from business issues to personal issues, leaving companies floating temporarily without guidance? Would blackmail grow into physical threats?
It is an uncomfortable thought that most dating sites have already been breached, and that your dating info may already be stolen. And it is especially difficult to realise how many of your personal thoughts and desires could be used against you, even years after you shared them in a place you thought was a private and secure environment.
The concept of online dating is here to stay. Whether it takes place in some of the more immoral forms or not, it is an integral part of our culture. As long as there is perceived value in dating sites' data, there will be malicious individuals wanting to exploit them. So as consumers of any online dating service, don't just feel secure and satisfied with a vague security statement on a website. Do some research about site's security, privacy and track record. Dating takes a leap of faith. Choosing a dating site should not.
Alex Holden is the founder of Hold Security and one of the world's most renowned dark web consultants.