The company behind AdultFriendFinder.com has only just begun directly informing its users that their data has been stolen, a week after it publicly admitted that its networks had been compromised.
Friend Finder Networks, which owns several adult dating and entertainment sites including AdultFriendFinder.com and Cams.com, alerted users of a "security incident" in a message on Sunday, a little over a week after we first reported of the scale of the breach, which affected over 400 million accounts.
"We recently learned of a security incident that compromised certain customer usernames, passwords, and email addresses," said the message. "Immediately upon learning this information, we took several steps to investigate the situation and retained external partners to support our investigation."
But AdultFriendFinder was far from proactive about informing its users.
Several of the site's users contacted me to say that they were only alerted to the security issue from a message in the user's inbox after they logged into one of the sites.
They heard about the hack from the media, and yet they had not received any emails from the company directly.
That's a problem for the hundreds of millions of users who no longer use the site but may still be affected by the breach. AdultFriendFinder.com alone claims to have 700 million users, but according to an analysis of the last login dates, over 200 million users haven't logged in since 2010.
Friend Finder Networks has been wholly silent -- with the exception of a press release posted late in the day last Monday, two days after news of the hack first broke, confirming the hack and that it was investigating the breach. The statement said that the company was "in the process of notifying affected users to provide them with information and guidance on how they can protect themselves", but it gave no timeline on delivery.
One user, who did not want to be named, told me that they thought it was "unacceptable" that they had to hear about the hack from the media rather than the company.
The press release also said that the company "encourages" users to change their passwords, as opposed to forcing its users to reset their passwords when they next log in, an act that most security professionals considered to be standard practice after a data breach.
Another user who emailed told me that when they went to change their password, the page suggested users should use "characters a-z" and "numbers 0-9", and they said that passwords are not case sensitive. An analysis by LeakedSource, a breach notification site which obtained the database, first noted that the sites converted user passwords into lowercase, which if stolen, makes them easier to decrypt.
A spokesperson for the company, now handled by a public relations firm known to specialize in "crisis communications", did not comment but referred back to the previous press release.