WASHINGTON (AP) — The Associated Press reported Thursday that someone with access to a work email account for Ohio Republican Senate candidate Bernie Moreno created a profile in late 2008 on an adult website, seeking casual sexual encounters with men.
The story relied on records from a number of publicly available sources of information, including a leaked 2016 database from the website Adult Friend Finder, current records the site makes available online about past and present profiles, property records and business filings, as well as archived versions of websites for Adult Friend Finder and businesses that Moreno once owned.
The AP could not definitively confirm whether the profile was created by Moreno himself.
Questions about the profile have circulated in GOP circles for the past month. On Thursday evening, two days after the AP first asked Moreno’s campaign about the account, the candidate’s lawyer said a former intern created the account as a prank. The lawyer provided a statement from the intern, Dan Ricci, who said he created the account as “part of a juvenile prank.”
“I am thoroughly embarrassed by an aborted prank I pulled on my friend, and former boss, Bernie Moreno, nearly two decades ago,” Ricci said. The AP couldn’t independently confirm Ricci’s statement and he didn’t immediately respond to a request for comment. Ricci donated $6,599 to Moreno’s campaign last year, according to campaign finance records.
Moreno’s lawyer, Charles Harder, insisted Moreno “had nothing to do with the AFF account."
Here's how AP reported the story:
In 2016, the website Adult Friend Finder was the subject of a massive and well-documented data breach that exposed the personal information of millions of users, including a large number of old accounts that appeared to have been previously closed or left dormant. The episode, which was widely reported on at the time, was the second such breach of the website, following a smaller leak that occurred the previous year.
That data remains available online. The AP located the files, downloaded them from a publicly accessible location and matched the contents with previous reporting on the size and nature of the leaked data.
The data included a unique account number, as well as a work email address for Moreno — bernie@clevelandporsche.com — that was once listed for him on the website of a dealership he owned. It also listed a username, “nardo19672.”
Jake Williams, a prominent cybersecurity researcher and a former National Security Agency offensive hacker, independently confirmed that the email address was included in a copy of the leaked data.
The AP verified that the email address was publicly listed as Moreno's by using a website called the WayBack Machine, which preserves online data so that it can be retrieved later, even after a site is edited or removed. Moreno's company page listed the address as belonging to him in 2010, while internet domain registration filings show that one of Moreno's companies owned the clevelandporcshe.com domain name in 2008, when the account was created.
In order to complete the creation of an account on Adult Friend Finder and successfully log in at the time, a user would need access to the email address they used to establish it, according to an archived copy of the site from 2008. The reason, the company explained, is because that's where an account password needed to log in would be sent.
"Adult Friend Finder only requires a valid email address in order to become a member of this site, as you will not be able to obtain your password without one,” the company stated on its website in 2008.
Data obtained by the AP shows that the account was authenticated by someone with access to Moreno's work email address roughly two minutes after it was created.
The AP used the unique account number obtained from the leaked data to retrieve additional information for the online profile from a publicly accessible data portal, called an API, on Adult Friend Finder's website. It showed that the account was created in late 2008 and used for roughly six hours.
Beyond the work email, geolocation data indicates that the account was set up for use in a part of Fort Lauderdale, Florida, where property records show Moreno’s parents owned a home at the time. The account’s username — nardo19672 — appears to be a reference to Moreno’s full first name, Bernardo, as well as the year and month of his birth in February 1967.
And the profile itself, which remains viewable online, lists Moreno's correct birthdate.
Metadata obtained from Adult Friend Finder indicates the profile creator was interested in meeting “Men for 1-on-1 sex," stated they would “prefer not to say” what their marital status was, and declined to reveal their sexual orientation.
“Hi, looking for young guys to have fun with while traveling,” reads a caption on the photo-less profile.
Cyber Security experts say that, in all likelihood, the account had been closed but the company still retained the data and made it publicly searchable. The beginning of his username in the leaked data contained the designation “rm_,” which is a common flag for programmers to indicate that an account has been removed or closed.
But as was often the case before new rules protecting personal information went into effect, websites often did not truly delete the data.
“It’s very common that they would hold on to those accounts,” said Williams, who said a similar phenomenon occurred when data was leaked from the website Ashley Madison, which catered to married individuals seeking affairs. “We had a lot of people who said: ‘How do they have this? I deleted this years ago.’ The answer is: Your stuff is not really deleted.”
___
Associated Press data journalist Larry Fenn contributed to this report.