Dating site Topface pays hacker who stole 20 million credentials

When is a ransom not a ransom? When it's a vulnerability

The 'Mastermind' hacker who stole 20 million user credentials from Russian dating website Topface has got an extraordinary response from his victim - an undisclosed payment for "finding" the vulnerability that led to the calamitous breach.

It's an extraordinary turns of events that would be unthinkable in almost any other country but the site justified its decision with the argument that recovering the data would end the matter once and for all.

Recall that the hacker in question had tried to sell the stolen data on a crime forum which is where the breach was first noticed by a third party, US securty outfit Easy Solutions. Without that discovery the data would probably have been sold on without the site realising that a breach had happened in the first place.

"He [Mastermind] has confirmed the findings of our investigation and has made an agreement with Topface for no further distribution of acquired email addresses database," the firm said in a statement.

"Due to the fact that he has not passed the data to anyone and has no intention to do so in the future, we will not accuse him, moreover, we have paid him an award for finding a vulnerability and agreed on further cooperation in the field of data security."

The huge cache included email addresses and user names but not passwords or other account data, the statement confirmed.

"Due to the fact that we do not store any billing information of users, and authorisation of more than 95 percent of accounts are going via social networks, we are confident, that third parties could not get any additional data of users."

Users logging in to the site using email addresses had been asked to change their passwords as a precaution.

The response leaves a number of questions lingering such as how it is certain that the data has not been passed on. Topface describes the transaction as a payment but to many others it will be viewed as a ransom of sorts. Presumably, if someone had offered a higher price, buying the data back wouldn't have been possible.

Hackers who mine some kind of reward out of bending the rules are far from unknown. One example is George 'Geohot' Hotz, who in 2011 got a job at Facebook after acquiring mild notoriety for jailbreaking the iPhone in 2007 and doing the same to Sony's PlayStation 3. However, he was not taking money after stealing data so the comparison is not a direct one.

With nearly 92 million users and growing, Topface doesn't appear to have suffered any negative consequences as a result of the breach.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitydata breachTopface

More about FacebookRecallSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

More videos

Blog Posts