Shady websites offering dating and hookup services leaked personal, financial, and in some cases security-related information
The breach also exposes the behind-the-scenes activities of the sites which in some cases included the solicitation of minors to prostitution, the sharing of nude images of minors, widespread sex work transactions, and the creation of fake user profiles to try to entice users to subscribe to their services.
The breach which was jointly exposed by Calcalist and hacktivists Noam Rotem and Ido Keinan’s Cybercyber podcast includes 100 sites operated by between five and seven different people. Nearly all the users of the sites are Israelis though some of them are operated abroad, with at least one of them based in Russia.
The personal information revealed in the breach included email addresses, phone numbers, passwords, identification card numbers, physical addresses, sexual preferences, and tens of thousands of credit card numbers including their 3-digit verification codes. Out of all the user details that were exposed, 80,000 came from sites whose main activity was paid sex services, operating under the guise of matching users for sexual hookups.
In some cases, extremely sensitive details, like the user’s workplace, including public officials and military personnel or their affiliation to a conservative religious community were also exposed. “There is a potential to blackmail thousands of Israelis, some of whom fill sensitive positions or belong to a strict and demanding religious community,” Rotem said. “We saw evidence of actions carried out by rabbis and others who belong to Jewish and Muslim conservative communities. If these details become known there is a real risk to people’s lives.”
Tens of millions of private messages sent between users on the sites were also exposed, including requests for payment for sex and between three million and five million photos. The photos include nude images, in some cases of minors, copies of state and military-issued ID cards, credit cards, personal and financial documents, and also sensitive security-related documents.
“I saw screen captures of municipal tax payments made in exchange for sexual services, copies of bank account balances, apparently to prove financial liquidity,” the hacker who detected the breach, who goes under the alias “Stav” told Cybercyber. He said he also saw “military documents, including maps, patrol assignments, and duty shifts.”
Stav, who also exposed the breach in the Likud Party’s election campaign management mobile app
developed by Elector Software Ltd. in February, said there is a high probability that the data from the sites had reached the hands of hostile entities. “These are kindergarten-level hacks and it is likely that the data is already in the hands of foreign agents. What’s particularly disturbing is the potential to use the data to blackmail government employees seeking casual sexual encounters and there are many of them in the sites that were exposed. Of course, blackmail is also a possibility when it comes to members of conservative Jewish and Muslim communities, who would be willing to pay substantial sums to keep the information secret.”
Stav decided not to report the breach to the sites themselves or to the Israel National Cyber Directorate. “In the case of the Elector breach, I expected the authorities to take decisive action, but they haven’t and likely won’t do anything about it,” he explained. “It was a breaking point that led me to realize that Israel doesn’t have the desire or ability to protect its citizens online. Some of the operators of the sites are criminals who push weak individuals into sex work, while others are ordinary fraudsters who operate fake profiles to entice people into spending money, therefore the solution is not to help them beef up their network defenses.”
The leaked information can be used for blackmail purposes, particularly in instances when it is easily discernible that the user is a public official or a defense establishment employee. “We found rabbis, holders of public office, defense sector personnel— soldiers, cops and Defense Ministry employees who posted photos of themselves in uniform with their private parts exposed,” Rotem said. “Some of them even had the pictures taken while standing in front of operational maps or sensitive security information.
“Some government employees signed up using their work emails, including people with Ministry of Defense or court services addresses. These are people who can be blackmailed not only for money but for access to state secrets. These networks, even if they weren’t hacked, are being operated by shady foreign actors with access to the information.”
The leak also provides a glimpse into the sites’ methods of operation. In many of them signing up and browsing is offered for free, but demand a paid upgrade as soon as users wish to start engaging. How do they get users to offer up their credit card details? The operators create fake user profiles, commonly of women, who then seduce the users to start paying using various tactics and in such a way increase the operators’ revenues.
“There is a huge number of fake accounts created by the operators, with at least two of them purchasing identical databanks of nude photos, apparently from an eastern European operator in order to make the fake profiles,” Rotem said. “Some of the sites mark the fake profiles as ‘bots’ or ‘fake’ in their internal management systems, so they easily identify them.
“These profiles approach real users in order to encourage activity and payment on the sites. A first approach by a bot is customarily in the form of one of a dozen routine messages saying ‘Hey, how’s it going?’, ‘What are you looking for?’, ‘Hi, honey, what’s up?’, ‘Send me a message if you’re here’, ‘Tell me about yourself’, ‘Want to party?’, ‘Are you free this weekend?’ and so forth. If a user fails to respond, the bot will turn to a secondary set of approaches such as: ‘Are you even here?’, ‘Hello?’, ‘Write something’, ‘Why aren’t you answering?’ and other messages that may include insults to guilt the user into responding. As soon as users choose to engage, they are required to make a payment, which is how the sites generate revenues,” Rotem explained.
Rotem added that only several thousand of the profiles found on the sites were fake, with the vast majority belonging to real users. He added that there is no way to determine how many of the accounts are duplicates (meaning a single user creating several profiles) without carrying out an in-depth examination of the exposed data, which is problematic due to legal issues.
Some of the sites also saved copies of the Administration of Border Crossings, Population and Immigration’s Agron databank, which was stolen and leaked online several years ago, in order to cross-reference ID numbers submitted by users with their real identities. One can only guess why such sites want to verify people’s identities and none of those guesses are savory.
Some of the message exchanges exposed in the breach reveal sites that pose as legitimate dating sites even though they actually operate as sex trafficking sites. “A man approaches one of the women, she replies and explains that an hour with her costs a certain sum and three hours costs another sum,” Rotem explained. “Some of the women operate independently and some work out of apartments. We were able to cross reference some of the women’s phone numbers with ads for escort services.”
In one instance, after chatting, the female user gave her partner a landline phone number and instructed that if she doesn’t answer to “ask for Noa, because I live with roommates.” A google search revealed that the number she gave was identical to a service advertising “Extraordinary massages in Tel Aviv.” In another message exchange, a user wrote: “Hey baby. If you are interested in carrying on a discreet, fun and pampering relationship (with the possibility of support), speak to me,” and added his email address and phone number. The number belongs to a rabbi from central Israel.