Adult FriendFinder, one of the largest online dating sites, may have been breached more than two months ago, and the sensitive files - include names, ages, email addresses, zip codes and more - are apparently still online.
British broadcaster Channel 4 reported on Thursday that the website had been breached, although information regarding the breach had been trickling out in a low-key way for some time.
FriendFinder Networks, a California-based company that owns Adult Friend Finder and other dating websites, said in an advisory that it has contacted law enforcement and is investigating.
The company claimed it had "just been made aware of a potential data security issue and understands and fully appreciates the seriousness of the issue."
"Until the investigation is completed, it will be difficult to determine with certainty the full scope of the incident, but we will continue to work vigilantly to address this potential issue and will provide updates," the company said.
Adult Friend Finder, which was founded in 1996, has more than 40 million members, according to its website. FriendFinder Networks says it has more than 600 million registered users across some 40,000 websites in its network.
The breach could be especially sensitive since Adult Friend Finder specializes in more risque types of meetings. The sales pitch on its landing page reads: "Looking for sex? Hoping to meet someone special for a hot, sexual relationship or even just a quick fling?"
The leaked records, contained in 15 Excel spreadsheets, are still online in an underground forum. The forum is a so-called "hidden" website hosted on the Tor network, which helps masks the site's true IP address. The site can only be reached using the Tor web browser.
The files contain hundreds of thousands of email addresses purportedly of Adult Friend Finders users. Some of the Excel files also contained detailed information about members, including their age, sex, state, zip code, username and IP address.
Some of the Excel files have a column for "paymenttype" although the fields are mostly blank. Efforts to reach FriendFinder Networks to verify the files were not successful.
Bev Robb, who does malware and dark web research, came across the Adult Friend Finder files in March. She said she held off on publicising the information for a few weeks before contacting two security experts.
"I really didn't know what to do with the data," she said. "I assumed it was some type of extortion."
She eventually wrote a blog post on April 13, which didn't name Adult Friend Finder but identified the online nickname of the person who leaked the files, whose goes by ROR[RG].
Before posting links to the files, ROR[RG] wrote a message directed at Adult Friend Finder saying "this is for owing my guy $247,938.28." He wrote in another post: "I am in Thailand. It is a pervo website. They owe my guy money."
The administrator of the underground forum wrote on Friday that it "only took 74 days to confirm the breach," linking to a story on the BBC.
FriendFinder Networks wrote that it had hired FireEye's forensics unit, Mandiant, to investigate along with Holland and Knight, a law firm, and a public relations company specializing in cybersecurity.
"We cannot speculate further about this issue, but rest assured, we pledge to take the appropriate steps needed to protect our customers if they are affected," it said. The company could not be reached for further comment.