Cyber Incident Victim: Affinity
Date:
Apr 2023
Location:
United Kingdom
Summary
A cyber incident at Affinity involved a hacker compromising an administrator account for its user forum. This breach exposed member data including usernames, email addresses, and the last used IP address, information not publicly available which could be used for targeted phishing campaigns. The company confirmed that no passwords, financial data, or main account details were accessed as the forum system is separate from primary user accounts. The incident was reported to the UK's data protection authority.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 6 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 6, 2023, a security incident occurred affecting the user forum of Affinity, a UK-based developer of photo editing, graphic design, and publishing software. The incident involved the compromise of an administrator’s account for the forum, which provided a hacker with unauthorized access to the user data stored within that system. The company, owned by Serif, subsequently conducted an investigation to determine the nature and scope of the breach. The compromised forum user data included information such as usernames, reputation scores, join dates, post counts, email addresses, and the last used IP addresses of the affected forum members. While much of this information, excluding email addresses and IP addresses, was already publicly visible on the forum, the access to private email and IP data elevated the risk for those individuals.
The company determined that the breached information did not include any user passwords, financial data, purchase history, physical addresses, phone numbers, or any other information held within a user's main Affinity account or AffinityID. This distinction was made clear because the forum was described as a standalone system completely separate from the primary user accounts used for purchasing and licensing the Affinity software suite. This separation limited the immediate impact of the breach to the forum community itself rather than the broader customer base. The exact number of users whose data was accessed was not publicly disclosed by the company; however, the scale of the potential impact was indicated by the fact that the Affinity forum had nearly 175,000 registered members at the time of the incident.
Following the discovery and investigation of the breach, Affinity took steps to notify its forum users of the event. The company informed them that a hacker had gained access to their forum data via the compromised administrator account. In these communications, Affinity specifically warned users about the increased risk of receiving targeted phishing attacks due to the exposure of their email addresses. The company advised users to be vigilant against unsolicited communications that might attempt to use the details from the breach to appear legitimate. This type of information can be leveraged by malicious actors to craft convincing social engineering campaigns.
As part of its response, Affinity formally reported the data breach to the UK Information Commissioner’s Office (ICO), the national independent authority responsible for upholding information rights. This action is a standard regulatory requirement for organizations operating in the UK that experience a personal data breach. The company also stated that it had taken steps to prevent such incidents from occurring in the future, though the specific technical or administrative security measures implemented were not detailed in the public statement. The root cause of the administrator account compromise, such as how the credentials were obtained by the attacker, was not disclosed by the company.
The incident had several clear impacts despite the lack of financial data exposure. The primary consequence was the potential for misuse of the stolen email addresses and IP addresses. Email addresses can be used as a foundation for phishing and spam campaigns, while IP addresses can provide coarse geographical information about a user, which could further refine a targeted attack. The reputational damage to the company, while not quantified, is an inherent consequence of any cybersecurity incident, requiring public communication and remediation efforts to maintain customer trust. The breach also triggered a regulatory reporting process, engaging the UK ICO and demonstrating compliance with data protection laws.
The response actions undertaken by Affinity included the internal investigation to ascertain what data was accessed, direct notification to the affected forum user population, and a public notification via a press release that was subsequently reported on by cybersecurity news outlets. The company’s public messaging aimed to provide reassurance by clarifying the limits of the breach, specifically highlighting the separation between the forum and core financial systems. The commitment to implementing improved security measures was communicated as a key part of the response, intended to address the vulnerability that was exploited and to enhance the overall security posture of the forum infrastructure. The entire event, from the initial breach on April 6th to the public disclosure and reporting to authorities, was managed within a short timeframe, with public knowledge of the incident emerging in the following week.