May 26, 2015

The recent breaches involving the leak of personal data on millions of customers at online hookup site Adult Friend Finder and mobile spyware maker mSpy give extortionists and blackmailers plenty of ammunition with which to ply their trade. And there is some evidence that ne’er-do-wells are actively trading this data and planning to abuse it for financial gain.

Within hours after data on tens (if not hundreds) of thousands of mSpy users leaked onto the Deep Web, miscreants on the “Hell” forum (reachable only via Tor) were busy extracting countless Apple iTunes usernames and passwords from the archive.

“Apple Id accounts you can use Tor to login perfectly safe! Good method so far use ‘Find My phone,'” wrote Ping, a moderator on the forum. “Wipe data and set a message that they been hacked and the only way to get their data back is to pay a ransom.”

"Hell" forum users discuss extorting mSpy users who had iTunes account credentials compromised in the breach.

“Hell” forum users discuss extorting mSpy users who had iTunes account credentials compromised in the breach.

mSpy works on non-jailbroken iPhones and iPads, but the user loading the program needs to supply the iTunes username and password to load mSpy onto the device. The tough part about a breach at a company like mSpy is that many “users” will not know they need to change their iTunes account passwords because they don’t know they have the application installed in the first place!

Late last week, several publications reported that the database for Adult Friend Finder’s users was being sold online for the Bitcoin equivalent of about USD $17,000. Unfortunately, that same database seems to be circulating quickly around the Deep Web, including on the aforementioned Hell forum.

In an update posted to its site on Friday, AFF owner FriendFinder Networks sought to assure registered users there was no evidence that any financial information or passwords were compromised.

Nevertheless, the AFF breach clearly threatens to inundate breached users with tons more spam, and potentially makes it easy to identify subscribers in real life. Such a connection could expose users to blackmail attempts: I spent roughly 10 minutes popping email addresses from the leaked AFF users list into Facebook, and managed to locate more than a dozen active Facebook accounts apparently tied to married men.

A description posted to the "Hell" forum listing the attributes of the Adult Friend Finder user database.

A description posted to the “Hell” forum listing the attributes of the Adult Friend Finder user database.

According to a note posted by the aforementioned Hell moderator Ping (this user is also administrator of the Deep Web forum The Real Deal), the AFF database has been traded online since March 2015, but it only received widespread media attention last week.

22 thoughts on “Recent Breaches a Boon to Extortionists

  1. raincoaster

    But is there a market any more for blackmail? I’m sure many married men would find it inconvenient for their wives to find out they were registered on Adult Friend Finder, how many would care enough to lay out several thousand dollars to hush it up? Easier to lie and say some idiot troll signed you up without your knowledge.

    1. Martýn Alexandro

      It’s not that easy! I know of one guy who -after having his FB hacked- payed $500 not to be disclosed to his wife (who was a “limited friend”) who his “friends” were…

    2. Jon Marcus

      If passwords have been released, I imagine the threat would be to reveal more than just membership. I’m not familiar with AFF, but I imagine there would be something like chat logs, or lists of people users have met, or even just the listings.

  2. Wayne

    When was the iTunes breech? Was it the one that spilled all the celebrity sex pix, or has there been one since that I didn’t hear about?

    1. slipstream

      The iTunes accounts came from the mSpy breach.

      Basically, mSpy on non-jailbroken devices is just “give us the itunes account details and we’ll exfiltrate stuff from iCloud”.

  3. IA Eng

    For those that would use these services, Its almost important enough to switch telephone numbers and emails. All it takes is to answer one of the requests, and then I can imagine the sharks that will circle.
    No one is guaranteed that a single extortion attempt will be taken against a victim. I am sure they will share data of people who have paid, and people who are dead-ends.
    For the victims, its about the significant others, positions of trust,
    or even worse, having some one messing around, signing up these users for other arenas that may not – or may suit their tastes.
    The possibilities are endless – so may be the pain and agony.

  4. JimV

    Brian, was Hank Williams’ “Your Cheating Heart” playing in the background (or just rolling around your thoughts) while conducting that Tor research, by any chance…?

  5. ErikC

    Are there any actual women on AFF? I thought those guys were all paying money to chat with bots or something like that.

  6. Buddha Chris

    This all goes back to the simple and time tested internet security principle: assume anything and everything you do on the net is discoverable by someone (and this someone is likely to be the worst case for you when it happens).

    Things always circle back to where they started, and most of the times you will eventually be busted for miss deeds.

    1. Mark Allyn

      I have my own gospel. It is ‘Anything you put on line, whether it be work, personal email, chat room, FaceBook, Twitter, LinkedIn; assume that you have
      just climbed Mount Everest and shouted it from the
      top of the mountain so that the whole world could hear clearly every word you have said.

      The best way to hide something is to either not say it or not to take the picture in the first place.

      If you do say it, or take the picture, keep it far from any computer, phone, tablet, or other toy that can be connected to anything. Which may mean you will have to go to film and learn to develop it yourself.

      As for myself, I hide nothing on-line. My art site at as tons of information about my inner secrets including my fashion fetish in clear plastic clothing. The whole world (including work) knows it. It is my choosing. I cannot be blackmailed.

      My private words with my family? Those are not anywhere near a computer.

  7. kyle

    it still amazes me that people falk for the whole “apple is more secure” cr4p. you would think they would learn from recovery epicfails and their remote wipes, then unauthorized sync with icloud, terrible security against flashback, the celeb. leaks, goatse mess-up, and now this. apparently they do not.

  8. Sample M. Goody

    If I were Apple’s security team, I’d go get the mspy list online, then disable all the iTunes passwords proactively, forcing everyone affected to change their password. A nice message to their affected customers that they’d been hacked via mspy, a piece of software installed against their will. Oh, and I’d make sure mspy and its ilk no longer have access to the Apple store.

    1. balanced

      Were I your manager I’d then immediately fire you for insubordination.

  9. Paranoid

    Mspy stored the apple ID passwords in clear text – what a dumb and irresponsible procedure. If you spy on people’s icloud accounts, at least have the decency to keep the their passwords secure.

    1. dolleater

      “if you spy on people ” and “decency” probably don’t mix. especially if are the one spied on.

  10. Johnson Dollar

    Curious to what is the link for the Hell forum, I wan to check and see if my apple id is on there

      1. ping

        The forum is still up and a hint to finding it look for ping, or use your brain its pretty easy to find.

Comments are closed.