The hacker claims to be selling tens of millions of accounts, which include plain text passwords, email addresses, and information about users' sexual desires.
Quite literally, every day someone gets hacked. Whether that's a telecommunications company having its customer data stolen, or another chain of businesses being ripped for all the credit cards it processes, today one hack just seems to melt into another.
In our series Another Day, Another Hack, we do short posts giving you what you need to know about the hack, so you can figure out whether your bank account, website logins or anything else might be at risk. Because, even if the hack might not be the most sophisticated, real people are still getting fucked over somewhere, and should know about it.
A hacker claims to be selling tens of millions of user accounts for adult dating site Fling.com on the dark web, including information on sexual desires, preferences, and other personal details.
"Find sex by contacting fellow Fling members and get laid tonight," the site reads. "Check out millions of fun photos and watch webcams that allow you to party with members live on the best adult personals." Users can send private messages to each other, upload pictures and more.
The data is being sold on the Real Deal market, a dark web site specialising in the peddling of stolen data and computer exploits, by a hacker who goes by the name Peace.
Motherboard obtained a sample of the data from Peace, which contained email addresses, usernames, plain text passwords, IP addresses, dates of birth, and more. Records also indicated whether the account was a free or paid version, and what gender and sort of relationships the user was interested in, such as "fetish," "group sex," "online flirting," or "other." Some of the accounts appear to belong to Fling administrators.
The person who the Fling.com domain is registered to confirmed the legitimacy of the sample data.
"We take internet security very seriously," he wrote in an email. "Our site is free to join and we do not store any credit card information. We've investigated the sample data and it is from a breach that happened in 2011."
Motherboard shared the sample data with security researcher Troy Hunt, who maintains the breach notification website "Have I Been Pwned?" Cross-referencing the sample with email addresses already contained in Have I Been Pwned's database, Hunt managed to contact two victims from the breach.
One of those victims confirmed their full password, while another said that the beginning of the password in the Fling sample was something that they have used in the past. The latter said they had no recollection of signing up for the site. In Motherboard's tests, Fling sends a user their full password when creating an account.
Notably, some of the email addresses in the sample, however, did not appear to correspond to accounts on Fling. Out of 101 email addresses that Motherboard tested on the site, only 61 were already in use. Accounts in the sample were also flagged with settings such as "admin_disabled," "user_disabled," or "active." However, these flags seemed to have no bearing on whether an email address was already in use or not on Fling. Ostensibly, accounts that have been disabled by users are still included in the data.
Peace claims to be selling 40 million accounts in total, but Motherboard could not confirm whether that many accounts have been obtained, nor how many of the accounts belonged to legitimate users. Peace is selling the data for 0.8888 bitcoins, or just over $400 at today's exchange rates.
"We don't create fake accounts," the Fling site reads, which claims to have 50 million members.
It's also worth bearing in mind that it's possible to create an account on Fling without clicking a verification link sent to an email address. And when Motherboard created test accounts on the site, it was necessary for the password to contain numbers, but in the sample data, many passwords only contained letters.
The lesson: Anyone who has used Fling should change their password as a precaution, and especially if that same password has been used on other, more valuable services, such as an email account. Victims should perhaps prepare for receiving unsolicited emails too, and in particular ones that threaten users with blackmail, based on their information being linked to Fling.
Another day, another hack.