Two decades of customer data was stolen from AdultFriendFinder, Cams.com, and more.

More than 400 million Friend Finder Networks user accounts have been leaked following an October hack of the adult social media platform.

Two decades of customer data was stolen from sites including AdultFriendFinder, Cams.com, Penthouse, Stripshow, and iCams.com in what breach notification website Leaked Source calls “by far the largest breach we have ever seen.”

FriendFinder Networks did not immediately respond to PCMag’s request for comment.

With nearly 340 million users (including more than 15 million “deleted” accounts), AdultFriendFinder—the “world’s largest sex and swinger community”—was hit hardest. FriendFinder sites have between 1 million and 62 million subscribers.

On Oct. 18, a researcher posted screenshots to Twitter exposing Local File Inclusion (LFI) flaws on AdultFriendFinder. The hack, according to Leaked Source, was carried out via an LFI exploit, and preyed on poorly stored passwords saved as plain text or encrypted using the insecure SHA-1 cipher. The same algorithm was reportedly used to cache hundreds of millions of LinkedIn passwords stolen in a 2012 data breach.

“Neither method is considered secure by any stretch of the imagination,” LeakedSource said in a blog post.

The hashed passwords, meanwhile, appear to have been changed by FriendFinder Networks to all lowercase characters before storage, making them easier to attack, but less useful when trying to infiltrate other sites.

LeakedSource has decided the data set—which includes more than 412 million accounts’ usernames, emails, and passwords—will not be publicly searchable on its main page “for the time being.” The firm did, however, reveal that there are 5,650 .gov emails, and 78,301 .mil (military) domains registered on all six databases.

This isn’t the first time the Internet hook-up destination was targeted. A hacker in May 2015 leaked data from 3.9 million AdultFriendFinder members onto a darknet forum, including birthdays, ZIP codes, and IP addresses. The leak also includes details such as sexual orientations and whether the user was interested in an extramarital affair. In other words: prime blackmail material.

This breach surpasses the 2013 hack of 360 million MySpace accounts.

Leave a Reply