Cyber Incident Victim: TruckerSucker.com

On or around April 27, 2023, it was reported that hackers had successfully breached two dating websites, CityJerks and TruckerSucker. The incident involved the theft of a significant volume of sensitive user data from both platforms. The breach was initially brought to light when an anonymous tipster contacted Troy Hunt, the founder of the data breach notification service Have I Been Pwned. The tipster informed Hunt that the stolen data was being advertised for sale on a hacking forum. Following this tip, Hunt conducted an analysis of the data samples provided by the threat actor to verify the breach's authenticity and scope.

Hunt's analysis confirmed the data was legitimate and originated from the two websites. The stolen data set from the TruckerSucker website was reported by the seller to contain information on approximately 8,000 users. The data set from the CityJerks website was reported to be significantly larger, containing information on approximately 77,000 users. The combined breach affected a total of around 85,000 individuals across both platforms. The data exfiltrated was highly sensitive due to the nature of the websites, which catered to adult hookups and specific sexual preferences.

The specific data types compromised in the incident were extensive. The stolen information included usernames, email addresses, and passwords. The passwords were stored using a weak hashing algorithm, which security experts assessed could potentially be broken to reveal the users' actual plaintext passwords. This vulnerability in the storage method significantly increased the risk for affected users. Furthermore, the breach exposed profile pictures, user biographies, self-described sexual orientations, and dates of birth. Location data, including the user's city and state, was also taken, along with their IP addresses, which can be used to infer approximate physical location and online activity.

A particularly sensitive aspect of the data theft involved the capture of private direct messages between users. These messages contained explicit content related to arranging meetups and sexual encounters. Examples of these messages, provided by Troy Hunt, included text such as “I will b [sic] in Jackson on business during the day on Nov.13 if interested message back I won’t have a place, will u?”. User profiles also contained explicit descriptions of sexual preferences, such as “trucker that loves suckin [sic] chubby guys”. The public exposure of such private communications and preferences posed a severe privacy risk and potential for reputational harm to the affected individuals.

The attacker's method involved advertising the stolen databases for sale on a public hacking forum. TechCrunch independently verified the existence of these forum posts, confirming that the data was being actively marketed by the threat actor. The public advertisement of the data increased the likelihood of it being widely distributed and misused. The stated purpose of the websites contextualized the high sensitivity of the leaked data. CityJerks advertised itself as a platform for people to find partners for mutual masturbation, claiming the activity would connect users on a deeper level. TruckerSucker billed itself as a place for “REAL TRUCKERS and REAL MEN” to meet masculine men.

Following the discovery and verification of the breach, the incident was publicly reported by TechCrunch on April 27, 2023. The public disclosure served as the primary method of notifying the user base and the broader cybersecurity community, as the websites' administrators did not initially issue any public statements. The administrator of both CityJerks and TruckerSucker websites did not respond to a request for comment from TechCrunch regarding the breach. The lack of an official response from the affected companies left users reliant on third-party reporting and services like Have I Been Pwned for information about whether their data was compromised.

The immediate impact of the incident was the exposure of a large group of individuals to potential privacy violations, harassment, extortion, and identity theft. The combination of personal identifiers, location data, and highly intimate personal details created a potent set of information for malicious actors to exploit. The weak password storage practices meant that users who reused their passwords on other online services were at an elevated risk of having those other accounts compromised. The exposure of IP addresses could also potentially be used to link online activity to a specific internet connection or geographic area.

The broader consequences of the breach highlighted the ongoing risks associated with storing sensitive personal data without robust security measures. The use of a weak hashing algorithm for passwords was identified as a critical failure in protecting user credentials. The incident demonstrated that even niche websites with smaller user bases are valuable targets for cybercriminals due to the sensitive nature of the data they collect. The public shaming and potential for real-world harm to users of such sites were significant considerations following the data exposure. The response to the incident was largely external, driven by data breach experts and cybersecurity journalists who analyzed the data and reported their findings, as the official response from the website operators remained unknown at the time of reporting.