Dating site Topface pays hacker who stole 20 million credentials

When is a ransom not a ransom? When it's a vulnerability

The 'Mastermind' hacker who stole 20 million user credentials from Russian dating website Topface has got an extraordinary response from his victim - an undisclosed payment for "finding" the vulnerability that led to the calamitous breach.

It's an extraordinary turns of events that would be unthinkable in almost any other country but the site justified its decision with the argument that recovering the data would end the matter once and for all.

Recall that the hacker in question had tried to sell the stolen data on a crime forum which is where the breach was first noticed by a third party, US securty outfit Easy Solutions. Without that discovery the data would probably have been sold on without the site realising that a breach had happened in the first place.

"He [Mastermind] has confirmed the findings of our investigation and has made an agreement with Topface for no further distribution of acquired email addresses database," the firm said in a statement.

"Due to the fact that he has not passed the data to anyone and has no intention to do so in the future, we will not accuse him, moreover, we have paid him an award for finding a vulnerability and agreed on further cooperation in the field of data security."

The huge cache included email addresses and user names but not passwords or other account data, the statement confirmed.

"Due to the fact that we do not store any billing information of users, and authorisation of more than 95 percent of accounts are going via social networks, we are confident, that third parties could not get any additional data of users."

Users logging in to the site using email addresses had been asked to change their passwords as a precaution.

The response leaves a number of questions lingering such as how it is certain that the data has not been passed on. Topface describes the transaction as a payment but to many others it will be viewed as a ransom of sorts. Presumably, if someone had offered a higher price, buying the data back wouldn't have been possible.

Hackers who mine some kind of reward out of bending the rules are far from unknown. One example is George 'Geohot' Hotz, who in 2011 got a job at Facebook after acquiring mild notoriety for jailbreaking the iPhone in 2007 and doing the same to Sony's PlayStation 3. However, he was not taking money after stealing data so the comparison is not a direct one.

With nearly 92 million users and growing, Topface doesn't appear to have suffered any negative consequences as a result of the breach.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitydata breachTopface

More about FacebookRecallSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place