Casual dating website Adult Friend Finder, which boasts some 63 million users across the globe, has warned customers that their personal data may be at risk following what appears to be a massive leak.

The breach, which is believed to have exposed around 3.6 million or more records, is currently being investigated by police.

Compromised information is said to include usernames, email addresses, post codes, email addresses, IP addresses and details of people who have indicated they are looking for an extramarital affair.

Californian FriendFinder Networks says it is aware of the “seriousness” of the potential breach which appears to affect both current and deleted user accounts.

Given the nature of the site, and the fact that other personal details such as sexual preferences were leaked, the potential damage to affected users could be severe, as pointed out by Tripwire’s Director of Security and Product Management, Tim Erlin:

Aside from the known value of compromised personal details on the dark web, there’s certainly the potential for blackmail from this breach. If any high profile, public figures or politicians have been using Adult Friend Finder, they might consider how the details they entered there could be used against them.

Commenting on Twitter, our very own Brian Honan came to much the same conclusion:

Further details about the breach remain few and far between at the moment with the California company merely telling Channel 4 News that it “understands and fully appreciates the seriousness of the issue” and has “already begun working closely with law enforcement and have launched a comprehensive investigation with the help of leading third-party forensics expert”. The company also vowed to take the necessary action to protect its affected customers.

While the lack of further information may be frustrating, especially to anyone who has ever signed up to Adult Friend Finder, it is hardly surprising. As Erlin says:

It’s become a standard pattern to see these breach announcements with minimal details, followed by more information as investigators get involved. It’s not unusual for the scope of a breach to expand as forensics experts are engaged and gain access to data.

So what’s next if you are a victim?

While it is hardly clear-cut at the moment, the experience of one user may give some insight. Shaun Harper says he has been targeted with malware-laden emails since his details were published (you can check whether yours have been leaked here), even though he had already deleted his account and believed all of his information had been removed.

I’d suspect that in addition to infected emails and the aforementioned potential for blackmail, there is also a very strong likelihood that personal information will be sold on to companies and individuals with an interest in creating user profiles, not to mention an increase in personalised phishing emails hitting inboxes.

As Ken Westin, Senior Security Analyst at Tripwire says

The Internet has essentially become a database of You. As more data is breached, this information can be sold in underground markets and can create a very vivid profile of an individual.

Depending on the type of information that is compromised this data can be used to link aliases to other accounts via email or other shared attributes and unveil connections to accounts that were not seen until now. An example would be a politician that may have created an account using a fake name, but used a known email address for their login details, or a phone number that can be mapped back to their real identity, this is an example of how data like this can lead to further blackmail and/or extortion by a malicious actor seeking to profit from this type of information.

It is also highly likely that affected customers will see an increase in junk email over the next few weeks too – as the stolen records began to circulate on the dark web, hackers said they intend to spam compromised email addresses.