In the Wake of OPM Hack: Why Adult Websites Like the Hacked Ashley Madison are a Cyber-Spy’s Dream
This post originally appeared on the Inteller blog. It is republished here with permission by the author.
A few weeks ago we’ve learned that the United States Government’s Office of Personnel Management (OPM) has been breached, with fingers pointed at Chinese spies. Dubbed as “the worst hack of all time”, the hackers were able to exfiltrate the details of around 4,000,000 United States government employees, with security experts estimating the data may be later used for asset recruitment. To make matters worse, the stolen information includes “adjudication information” – files that the government assembles on employees requesting security clearance that include data such as infidelity, sexual fetishes, and more. To make matters worse still, the higher you go up the ladder, the more “adjudication information” the government has on each employee – and that data is in the hands of the hackers now. This information, as you can imagine, makes employees ripe for extortion.
Extortion can be a very powerful tool when recruiting foreign assets, it’s no wonder that intelligence agencies have used these tactics, according to reports. This practice means that obtaining extortion-enabling data would be a major win for the cyber-spies. In that regards, the OPM hackers have won the jackpot – they were able to steal both information on the employees and the ways to extort them. However, not all spies can be that lucky. Information on a foreign government’s employees doesn’t usually come with the blueprints on how to exploit them, those have to be obtained elsewhere. Meaning, any site or database which holds these sensitive details immediately becomes a target. In comes adult sites.
Sexual preferences, fetishes and adultery can all be found in data stored on adult websites’ servers. Just the list of User IDs and their E-mails could be enough to provide capable spies with leverage over their targets. An E-mail is enough to link an extortion target with a specific user account, while the User ID can be used to locate them on the website and collect incriminating information on whatever it is they are into. The E-mail could also be linked to various social networking sites such as Facebook, revealing the identity of some of the users. For some sites, information that proves someone is their member is powerful enough leverage to recruit them. Adultery, fetish and BDSM sites are such examples. The question is, considering all the incredibly sensitive information adult websites have on their users, how well protected are they from some of the most capable hackers in the world. The question is what you’d expect – not that much.
Take Adult Friend Finder, a site aimed at arranging “hook ups” between its members, as an example. At the end of May this year the site admitted that its database has been breached, which according to reports exposed data on 4,000,000 of its members. Despite the fact that payment information hasn’t been leaked, the user information including E-mail addresses did end up in cybercriminal circles. Despite the fact that this database dump does not contain enough data to enable cybercriminals to commit financial fraud and identity theft, as Brian Krebs pointed out on his blog, there is enough data for extorting people on the list and other nefarious activities. There is no evidence suggesting any other adult website is more (or less) secure than Adult Friend Finder.
A more recent incident is Ashley Madison. The site aims to provide adulterers with a platform to connect and cheat on their spouses. Naturally, personal information of Ashley Madison members is extremely sensitive, as it has the power to destroy many lives – and now, hackers threaten to publish information on all of the site’s members. If they follow through on their threat, this information would be a treasure trove for foreign spies. Together with the data obtained in the OPM breach, they could identify high ranking government employees that happen to cheat on their spouses and extort them. In that regard, Ashley Madison is the holy grail of adult websites when it comes to extortion and publishing its members data would be a serious incident.
A lot has been said about the new “cyber battlefield”, one that is not necessarily fought by the military but by those who run and protect civilian companies and websites. Critical infrastructure, utility companies and financial institutions have always known that they are at the front lines of this war, heavily investing in their security (how well these security measures held up to attacks is another question). However, it’s quite the possibility that the adult industry is sitting in the same trenches along sides these organizations.