Cyber Incident Victim: The Fappening Forum
Date:
Apr 2016
Location:
United States of America
Summary
A forum dedicated to sharing leaked celebrity images suffered a data breach exposing approximately 179,000 user accounts, including numerous government-associated email addresses, with 30% of the compromised credentials previously involved in other breaches. Concurrently, malicious advertisements on the platform targeted mobile users, redirecting them to fraudulent applications that delivered SLocker ransomware and browser-locking schemes demanding payment to restore device access, compounding the incident's impact through both data exposure and malware infections.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Fappening Forum, a platform previously associated with distributing leaked celebrity nude photos, experienced a significant data breach around April 13, 2016. Security researcher Troy Hunt added over 179,000 user records from the forum to the Have I Been Pwned? breach notification service. The exposed data included email addresses, with a notable presence of .gov email addresses among the compromised accounts. Approximately 30% of the leaked email addresses had already been exposed in prior unrelated data breaches. The forum had gained notoriety during the 2014 "Celebgate" incident but remained active afterward as a repository for similar explicit content obtained from other sources. No technical details about the breach mechanism or perpetrator were disclosed in available reports.
Concurrently, security firm Malwarebytes identified malicious advertising campaigns targeting mobile users accessing the forum. These malvertisements promoted fraudulent applications, including one disguised as "PornoTube" adult video software that instead delivered SLocker ransomware to mobile devices. Additional browser-based ransomware attacks employed JavaScript to lock victims' browsers until ransom payments were made. The combination of personal data exposure through the breach and device compromise via malvertising created compounded risks for affected users. Public advisories warned against password resets conducted through mobile devices due to the active malvertising threats. The incident highlighted security vulnerabilities in both the forum's infrastructure and its advertising network, though no mitigation actions by forum operators were documented in available sources.