Subscribers to the hookup site Adult Friend Finder received notification of a massive hack, but only if they logged in, according to ZDNet.
A week after the breach, which exposed the personal data of 412 million accounts, Friend Finder Networks, the company behind the site as well as several other adult sites, began sending out notices via a message to inboxes within the site.
"We recently learned of a security incident that compromised certain customer usernames, passwords, and email addresses," the message stated. "Immediately upon learning this information, we took several steps to investigate the situation and retained external partners to support our investigation."
While the company alerted active users via its internal message and issued a press release last Monday urging members to change their password while stating it is "in the process of notifying affected users," there are still millions of past users who have not yet been contacted. The breach is said to include more than 15 million accounts that had been deleted and more than 200 million accounts which have been inactive since 2010.
“Data breaches have become a part of everyday life," Tony Gauda, CEO of ThinAir, a Palo Alto, Calif.-based enterprise security firm, told SC Media on Tuesday. "And as they've increased in frequency, consumers have begun judging businesses for how they respond to cyberattacks, instead of simply judging them for being breached in the first place."
The public has come to expect a thorough and speedy response on the part of the organizations to which they entrust their PII, Gauda added. "That is something Friend Finder Networks failed to deliver."
By taking a week to notify affected users directly, the door is essentially left wide open for cybercriminals looking to compromise an individual's various accounts, Gauda said. "With up to 400 million accounts credentials compromised, it's inevitable that some (if not most) weren't created with proper password hygiene, and can likely access other sensitive accounts. Incidents such as this underscore the need for stricter breach notification guidelines, as time and time again companies fail to follow the simplest best practices.”
Update: Comments added from Tony Gauda, CEO of ThinAir.