Back in July of 2015, Ashley Madison, a popular website dedicated to facilitating marital affairs, was hacked by a group called the Impact Team. The hackers demanded that Ashley Madison shut down their website or they threatened to release all clientele info, 32 million in all. Ashley Madison did not back down, the info was released to the public and there are now a lot of unhappy people out there and some suicides as well. For instance, a priest in Louisiana committed suicide after his wife found him out, as did a Texas police chief. A number of other suicides have been reported worldwide. One would have thought that the mammoth Madison hack would have sent shock-waves throughout the online sex/porn industry, leading such companies to better prepare for such eventualities. Apparently that call went unheeded. Or is it that hackers are ahead of the game?
Here we go again, 400 Million (new) users
In October of 2016, hackers struck again, but this time the damage was much more far-reaching. Leaked Source has reported and confirmed that 5 major websites in the porn/sex industry have been hacked with the information over 400 million users now accessible to the public. Stolen data included over 5,000 government registered emails and nearly 80,000 military issued emails. The effect that this will have on governmental and army positions and appointments has yet to be seen. Hacked and released info includes, Email addresses, usernames, dates of birth, post codes, unique internet addresses, sexual orientation and more.
The question is, how could this have happened and what measures could websites have taken to mitigate the damage.
Was it Negligence?
Leaked Source found that the overwhelming majority of hacked passwords were stored the plain visible format or in SHA-1 format, known to be completely insecure. Interestingly, Leaked Source showed that no matter how long and complicated the password, they were all easily hackable due to the poor and insecure algorithms that were supposed to be protecting them. It seems that FriendFinder Network and other companies should have known better and missed the warning signs.
Who ignored the Alarm Bells
As far back as 2005, Bruce Schneier began to reveal early warning signs about the dangers of using SHA-1. While technology did exist even back then that could successfully penetrate the algorithm, it was too expensive to be used on a wide scale. He quoted an old idiom from the NSA that, " Attacks always get better; they never get worse.". At that time, Jon Callas, CTO of PGP Corp , a global leader in email and data encryption, stated; "It's time to walk, but not run, to the fire exits. You don't see smoke, but the fire alarms have gone off."
In 2014 Jon Callas’ prediction was materialising and Google began to actively warn users against using websites with SHA-1, even launching a HTTPS security indicator to warn users. Google stressed that the chrome interface will consider SHA-1, as not fully trustworthy as soon as January 1st, 2017 and most major browsers are following suit. Even more disturbing, in September 2016 the public learned of the true extent of the 2014 Yahoo breach that compromised 500 million records. According to cryptographic researchers at Venafi a US based cybersecurity company, surprise, Yahoo was also using the useless SHA-1 algorithm.
Checkout, but you can never leave
Perhaps the most infuriating aspect of this most recent massive cyber event is the 20 years' worth of information stored in the systems. Adult FriendFinder was a bad version of the Hotel California, where you could checkout, but never leave. The company maintained 15 million accounts that were supposed to have been deleted. According to the Leaked Source report, when users tried to delete accounts, Adult Friendfinder simply just added firstname.lastname@example.org@deleted1.com for example. Why the company insisted on storing inactive users who had for years abandoned the site is beyond anyone's comprehension. Unsurprising, according to TechTimes, Adult Friendfinder has yet to respond to questioning on this matter.
All of the above facts leave us with more questions than they do answers. With the years of warning signs from leading professionals in cyber field and the numerous preceding attacks that were of similar nature, how could the FriendFinder Networks and the other major sex/porn websites have failed? Or maybe there was a plot even more sinister at play here?