AdultFriendFinder was warned about the major hack to their system two months before the leak was reported.
Information posted on http://databreachwallofshame.org/ this week shows email communication between AdultFriendFinder and a security researcher – under the name CISO Darknet Group – who contacted the company informing them of the severe breach.
In an email sent on 12th March, subject “BREACH ALERT! URGENT!”, CISO tells the company they have been the target of a data breach by a darknet bad-actor, and the “magnitude of this breach is comparable to Sony.”
The email says: “All, and we mean ALL your databases for customers and personnel has been dumped, and the remainder of FFN brands are now the target of this hacker. This bad actor is in the process of selling this access and data.”
CISO sent the email to FriendFinder Networks executives, including Chairman of the board Daniel Staton, President Joseph Gallo, VP Stacey Swaye and VP of Sales Sean Christian.
Although none of these executives replied to the warning email, a read receipt was received on March 12, 2015.
The receipt was returned by a Nancy Roberts, who was not on the list of recipients, but as the security researcher says, “one can only assume that Ms. Roberts was tasked with reading and replying for one of the original recipients.”
FriendFinder Networks said they never received the email sent on the 12th March, as it was sent to the company’s sandbox, or email trash.
In a statement provided to Channel 4, the company said: “FriendFinder employees receive hundreds of sales and marketing spam messages daily, including many from third party cyber security consultants, and any earlier communication on this specific issue was directed to junk mail folders and not considered a legitimate email.”
Channel 4 also followed up on the original deep web forum where the data was being sold.
They found the hacker, named ROR[RG}, was asking for over £10,000 in Bitcoin for access to the AFF database.
He also said he had received multiple offers from people asking to buy the database, and that he would break into “any company or site for 750 in under seven days.”