Topface, a Russian online dating service, has paid an undisclosed sum to an attacker who stole 20 million user email addresses and then advertised them for sale.
According to Bloomberg, Topface, based in St. Petersburg, managed to track down the intruder after he advertised to sell the email addresses.
CEO Dmitry Filatov said that Topface won’t be pressing charges, given that the attacker hadn’t (yet) passed the data to anyone and agreed not to do so.
Topface is not calling this payment “ransom.” Topface is, rather, calling it “an award for finding a vulnerability”.
There are no details available on what vulnerability the attacker exploited to exfiltrate the user data, but the company seems to have struck up some sort of working relationship with him.
Topface agreed to “[cooperate] in the field of data security”, according to an email exchange between Filatov and Bloomberg.
…meaning that we should stop calling him an attacker, hacker, or intruder, and instead now refer to him as, perhaps, a “consultant”?
Filatov said that his company’s new “security consultant” (I believe that phrase requires air quotes when read aloud) didn’t access anything beyond the email addresses:
There was no access to other information - neither passwords, nor content of the accounts [such as private correspondence or photos].
He also said that about 95 percent of Topface’s users access the service through their social media accounts, and that Topface doesn’t store users’ billing information.
According to the company’s site, Topface has 92 million users, and it’s the fastest growing dating service in the world.
If a company buys the cooperation of the man who’s kidnapped its data, to keep him from selling it off, how is that different from paying ransom?
There’s such a thing as responsible disclosure, where researchers who discover vulnerabilities quietly inform the online properties, without blabbing about it far and wide, thus giving sites the opportunity to close the holes before they’re exploited.
Then again, there’s full disclosure, which is the game of show and tell brought to the world of security: i.e., the researcher shows and tells everyone all at once, as a way of forcing the good guys to stop sitting on their hands doing nothing about the vulnerability.
Then again, there’s this case with Topface, which involves no disclosure whatsoever.
Rather, from the sound of it, Topface first learned of its vulnerability when it became aware that it had not only been exploited, but also that the fruits of that exploitation were to be sold off like so many bananas.
Perhaps there’s more here than meets the eye. It’s hard to imagine working with the guy who just plucked your wallet from your pocket, but it’s hard to know what the company’s dealing with, with so few details available.
Topface is recommending that customers change their passwords.