Cyber Incident Victim: Fling
Date:
Jan 2011
Location:
United States of America
Summary
A hacker leaked data from an adult dating platform, exposing user credentials stored in plaintext, personal details, IP addresses, and sensitive preferences regarding relationships and sexual interests. The breach included both active and disabled accounts, with some records potentially originating from administrators. While the attacker claimed to possess 40 million accounts, the actual number remains unverified, and discrepancies were noted between the leaked data and active user accounts. Verification by external security researchers confirmed the authenticity of the sample dataset, highlighting inadequate security practices such as transmitting passwords in clear text during account creation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2016, a hacker using the alias "Peace" advertised the sale of tens of millions of user accounts from the adult dating site Fling.com on the dark web marketplace Real Deal. The dataset, priced at 0.8888 bitcoins (approximately $400 at the time), purportedly contained 40 million records, though this figure remained unverified. Motherboard obtained and analyzed a sample of the data, which included email addresses, usernames, plain text passwords, IP addresses, dates of birth, account types (free or paid), gender specifications, and sexual preferences such as "fetish," "group sex," and "online flirting." Some records indicated administrative accounts. The Fling.com domain registrant confirmed the legitimacy of the sample data but attributed it to a 2011 breach, emphasizing that the site did not store credit card information. Security researcher Troy Hunt cross-referenced the sample with his "Have I Been Pwned?" database, contacting two affected users; one confirmed their full password matched the breach data, while another recognized a partial password but denied creating a Fling account.
Further analysis revealed inconsistencies in the dataset and Fling’s operational practices. Only 61 of 101 sampled email addresses corresponded to active Fling accounts, despite some inactive accounts being flagged as "admin_disabled" or "user_disabled" in the breach data. Motherboard’s test account creation showed Fling transmitted passwords in plain text during signup and enforced numeric character requirements—a policy contradicted by the presence of letter-only passwords in the breach sample. Fling’s website claimed 50 million "real" members and denied creating fake accounts, though users could register without email verification. The exposure of sexual preferences and personal details raised concerns about targeted blackmail campaigns. Fling advised users to change passwords, particularly if reused across other services, but did not disclose remediation efforts beyond attributing the breach to 2011. The incident underscored risks associated with password reuse, inadequate authentication protocols, and long-term data retention vulnerabilities.