Hackers Want to Know What Your Sexual Kinks are, and Dating Sites are Telling Them

If you are a frequent user of online dating platforms, be warned: the way they are getting relentlessly hacked, soon the only thing you’ll be kissing is your sensitive data goodbye.

It’s no coincidence that popular dating sites, such as Ashley Madison, OKCupid, and are being constantly attacked by hackers.

Private data really doesn’t get any more private than the stuff you share on dating websites. Could you imagine having your list of sexual fetishes leaked? Or maybe all the cringey, flirty messages you’ve sent over the years?

It is clear that dating websites have data security systems in place that are greatly disproportionate to the sensitivity of the data their users trust them to safeguard.

So what can dating websites, or any business tasked with the protection of sensitive data, do to keep their customers’ data secure?


header 1


In the recent hack, more than 100,000 members’ accounts were exposed.

Rosebuttboard is a forum for people who partake in the devastation of the derriere. Can you imagine how crappy it would be to have the world know about your private desires?

Rosebuttboard used out-of-date software and security strategies with known vulnerabilities, making them easy picking for cybercriminals.

What you should do: Avoid being the butt of hackers’ jokes by keeping all of your software patched, and up-to-date, ensuring that the versions you use have no known flaws. This instantly makes it harder for hackers to breach your system.


header 2


In addition to using an out-of-date forum system, Rosebuttboard also used an archaic and easily-crackable encryption method to store their users’ personal information.

And in OKCupid’s big hack of 2014, it was revealed that users’ passwords were saved in plain text.

Using outdated encryption methods (or not using any at all) is about as safe as leaving the key to your house under the doormat on your front porch.

What you should do: Encrypt all your sensitive data! That way, even if hackers somehow find their way into your network and steal your encrypted data, they will have the equivalent of a safe they don’t know the combination to.


header 3


Adult dating site has also been a victim of a data breach, with information such as sexual preferences, emails and old passwords being hawked on the dark web. Mysteriously, even the personal information of people who had deleted their accounts was found amongst the data.

Even worse is the now-infamous Ashley Madison hack. It aired the dirty laundry of 32-million cheating spouses, and even lead to multiple suicides.


Ashley Madison’s story is a classic example of why data security should be taken seriously: post-breach, their web traffic plummeted by 82%, and they are still fighting against a $567 million lawsuit.


Among Ashley Madison’s poor security practices, the worst was their “Full Delete” option that didn’t even work. The option promised complete removal of users’ traces on the site, for a small fee of $19.

Ashley Madison reportedly netted $1.7 million USD from this service. Yet, from the data leaked, even sensitive information from those that had paid for this service was found.

What you should do: If you don’t need it, fling it! Preventing data buildup will ensure that there is less data for hackers to steal.


The Business-As-Usual Approach

All these tips point to the importance of engaging in BAU security practices. In today’s data-centric world, integrating security tactics in your everyday business is critical in ensuring that your company stays safe from prying eyes.

Vulnerabilities must be patched as soon as they are discovered, network intruders have to be detected quickly, and data must be carefully monitored and safeguarded.

Keeping an eye on your company’s sensitive data buildup is no small feat, ordinarily. Extraordinarily, Ground Labs’ Enterprise Recon software helps customers manage sensitive data across their entire network, and aligns perfectly with the goal of making security a BAU process.

Real-time scanning, role delegation, scan scheduling — these features make it incredibly easy for any business to take control of their data, and ensure that no sensitive data goes undiscovered. It’s both the easiest and the safest way to ensure that even if hackers break into your network, there will be nothing for them to steal.

Sign up for a free trial of Enterprise Recon today for a first-hand look at how easy it can be to manage sensitive data across your entire company.

ashley madison hack

Everything You Need to Know About the Ashley Madison Hack

On July 19, well-known security blogger Brian Krebs reported that the online cheating site had been compromised. A group known as The Impact Team released a cache of data stolen from Avid Life Media (ALM), the parent company of Ashley Madison and two other hookup sites, Cougar Life and Established Men.

The data released includes snippets of account details from ALM’s users, maps of internal company servers, employee network account information, company bank account data, and salary information.

The Impact Team released the information in protest of ALM’s “lies” regarding it’s full delete function. Users were told that they could completely wipe their profiles and information from the ALM databases at the cost of $19. However, when Impact Team compromised ALM servers and inspected looked into their databases, they found that the information was not being deleted even after the delete fee had been charged.

The Impact Team’s demands were simple- either shut down Ashley Madison and Established Men, or have the full information of all 37 million users leaked. Needless to say, this was a cause of great stress for many of its users- Krebs reported that he receives a frequent stream of emails from Ashley Madison users who were afraid that the leak was going to go through.

Unfortunately for them, it just did. The Wired reported earlier today that a 9.7gb data dump was posted to the dark web containing the account details and log-ins for 32 million of the sites users, along with seven years worth of credit card and other payment transaction details.



The leak statement posted by The Impact Team


A short while later, Krebs posted again to his blog, questioning the credibility of the leaked data. Raja Bhatia, Ashley Madison’s original founding Chief Technology Officer, told Krebs that there had been a slew of fake data dumps popping up, and there was no reason to believe that this one was legitimate.

Bhatia examined the data, and concluded that the data from the original release was real, but everything else was nothing more than generic and fake SQL files. He also said that “There’s definitely not credit card information, because we don’t store that. We use transaction IDs, just like every other PCI compliant merchant processor.”

However, Krebs has recently edited his original post with this new information:

“I’ve now spoken with three vouched sources who all have reported finding their information and last four digits of their credit card numbers in the leaked database. Also, it occurs to me that it’s been almost exactly 30 days since the original hack. Finally, all of the accounts created at for prior to the original breach appear to be in the leaked data set as well. I’m sure there are millions of AshleyMadison users who wish it weren’t so, but there is every indication this dump is the real deal.”

So it would seem, at least for now, that the leaked data is indeed legitimate.



A cheeky billboard put up in Boston by Ashley Madison


From a data security standpoint, what’s interesting is that The Impact Team managed to acquire credit card data from a database that was allegedly not storing credit card information. Since multiple sources have confirmed that their credit card information was found in the leaked data, we can only conclude that ALM was storing credit card information- they just didn’t know it.

This is a common problem that many companies are alarmingly unaware of.

We have worked with many CSOs and IT compliance managers who have assured us that there was no cardholder data to be found in their systems. In one particular incident, Ground Labs software found over 100 million cardholder data records that were being backed up on a partition they didn’t even know existed, and this is one of many examples.

The entire situation highlights, once again, the importance of understanding your data. The larger your environment, the more data you’ll have, and the more locations you’ll have to store it. In today’s data-driven workplace, it’s impertinent that every company understand what it is that hackers want, and how to keep it away from them.

As of now, the dumped data is making its rounds on the web, with sites like going up (and getting taken down by a cease and desist by ALM) to make the information more accessible for the everyday spouse.

Play It Safe

The situation at Ashley Madison is still developing, but regardless of how it plays out for ALM, The Impact Team, or the gentlemen involved in the hack, this incident is but one of many examples of why having a strong data security system in place is integral for any modern-day business.  

Are you interested in finding rogue data in your network? Take a free trial of Data Recon and find out if the same unknown risk exists within your environment.


The Dark Side of PCI Compliance — Beware the QSA Sith Lords

Over the years we’ve spent working in the data security industry, we’ve talked to countless QSAs, and companies that have had QSAs audit them.

Observing from a neutral perspective, it became clear to us that how quickly a company can attain PCI compliance (or, how quickly they can get secure), is dependent on the quality of service the QSA provides them.

If you got wrongfully charged for murder, you wouldn’t want a shabby lawyer to represent you in court — you’ll be gunning for the best you could afford.

In the same way, it’s ludicrous to even consider working with a substandard QSA partner. If a hacker catches you being any less secure than you should be, your company is going to be in for a world of hurt.

The most vital deciding factor for how much good a QSA can do for you is this: How much do they care for your security?

Because once a QSA goes rogue, all ethics are off the table, which may lead to some practices that will be detrimental to your state of security.

We’ve heard of all kinds of terrible QSA partners; some make no secret of the fact that they are in it only for the money, and others who just want to ‘get it all over with’ and move on to their next client.

These QSAs are willing to go where no QSA should go: incentivizing their employees to perform more audits instead of prioritizing thorough checks, letting their clients write their own onsite reviews and simply signing off on them nonchalantly, and even outsourcing parts of the job to low-cost countries, who will not provide the level of attention you require.

What A Good QSA Looks Like

SUPER-NANNYWhen you pick a QSA partner to work with, keep an eye out for these gleaming traits.

A good QSA will maintain a vested interest in you, and for the sake of your security, is willing to be tough, yet fair. Imagine a super nanny-type relationship: if you try to cross the line or cut corners, you’ll get the naughty stool.

They’re willing to go the mile because they know that if you get hacked, it’s a damage to their reputation.

Perhaps most importantly, they see themselves as being an extension of your business — your security partner.

Remember, not every QSA is run by upstanding boy scouts who are out to make your security their priority. Perform a thorough background check, including checking their LinkedIn company profile, which should give you a good idea on their manpower, and dedication to the craft.

No doubt that it’s easier and quicker to just let a bad QSA run its course, but never forget that the entire point of PCI compliance is being secure- it’s so much more than just being a hurdle to leap over.

(Image source)


Call to Confession: Companies Who Have Been Hacked, But Aren’t Telling

Data breaches are happening every day. Companies worldwide are losing large amounts of sensitive data to hackers, who can turn a pretty penny selling credit card numbers and healthcare information on the black market.

The problem here is, many of these companies are trying to keep their hacks out of the evening news, and this comes with major negative consequences for consumers.

When a company reports on a hack, the gears of remediation begin to turn. Associating banks will reissue credit cards to all those affected, and breach victims will be sent letters warning them to watch for any unusual activity on their accounts.

By not reporting on hacks, companies are basically denying their customers the right to defend themselves from credit card fraud.

Many companies are afraid to report on hacks, because they believe that what comes next is a drop in reputation, and a potential spending millions of dollars in remediation.

On the other hand, though, if they get caught not reporting a breach, it spells even more trouble. The media will drag their names through the mud and shame them publicly. And on top of the usual remediation costs, those companies will have to fork out even more moolah to cover the inevitable onslaught of lawsuits and fines.

Now, you might be thinking that you simply have to avoid getting caught, but staying off the radar isn’t as easy as you might think. Once the banks are able to determine your company was a common denominator for hack victims, a thorough investigation will be conducted, and your mismanagement will be brought to light.

"And I would have gotten away with it too, if it hadn't been for all those meddling banks and individuals noticing unusual activity on credit card spends!

“And I would have gotten away with it too, if it hadn’t been for all those meddling banks and individuals noticing unusual activity on credit card spends!

Simply put: the best solution for everyone involved is for you to notify the authorities as soon as you discover a breach.

Somehow, unfortunately, all of this is not enough to convince many organisations to come clean once they’re hacked, which has lead the US to introduce strict data breach notification laws, stricter than anywhere else in the world.

The US accounts for the most reported data breaches in the entire world.

Coincidence? I think not.

While many countries like Australia and Singapore have guidelines for data breach notifications, they don’t have any concrete laws making it compulsory to do so.

This makes it hard to get a read on just how bad the state of cybersecurity is in those countries. The situation might seem good on the surface, but for all we know, data breaches may be a rampant problem that needs to be addressed urgently.

Don’t Wait, Call Now

One way to think about the whole issue is that getting hacked is just one half of a problem. Many cybersecurity experts believe that all companies are at risk of getting breached, and it’s just a matter of time till yours is too.

The second half of the problem starts when you don’t report on a breach. You’re basically aiding the hackers in selling the data they steal, which will be used by other criminals to commit easy credit card fraud.

Don’t be the person who fails to report a breach. On top of the multitude of business-related reasons listed to report a breach, you owe it to your customers that they be given a head start in securing their sensitive data, before the threat of fraud comes around.

(Image sources: 1, 2)


Data Breach Week in Review

This week’s reported data breaches are both big in name and in scale. It’s really hard to find a story that tops 5 million Gmail credential leaks, but Home Depot apparently lost 12 times that. There is a clear need for the improvement of data security, and it couldn’t come any sooner. Read more