Enlargereader comments 29
Share this story
AdultFriendFinder has been hacked, revealing the account details of more than 400 million people who would undoubtedly prefer to keep their identities private on the “world’s largest sex and swinger community” site.
The hacked database—which appears to be one of the largest ever single data breaches in history—apparently contains account details for numerous adult properties belonging to the California-based Friend Finder Network, and includes customers’ e-mail addresses, IP addresses last used to log-in to the site, and passwords.
According to data breach notification site LeakedSource.com, the passwords were either kept in plain text format, or used the largely discredited SHA1 hashing algorithm.
It claimed to have cracked 99 percent “of all available passwords” which “are now visible in plaintext.”
Around 339 million accounts were stolen from AdultFriendFinder.com. More than 15 million accounts which users thought they had deleted but which weren’t purged from the database were also hit.
Beyond that, 62 million accounts from Cams.com and seven million from Penthouse.com were compromised alongside smaller amounts from other properties. Penthouse.com was sold to Penthouse Global Media in February.
The exposed data revealed some interesting habits among swingers: for example, Hotmail is the most popular e-mail account among users of the site, closely followed by Yahoo mail.
According to CSO Online, the hack was made via a Local File Inclusion exploit, which “allow an attacker to include files located elsewhere on the server into the output of a given application.”
In a statement to ZDNet, Friend Finder Networks confirmed that the site had a vulnerability, but dodged attempts to confirm the breach.
Diana Ballou, its vice president and senior counsel, said:
Over the past several weeks, FriendFinder has received a number of reports regarding potential security vulnerabilities from a variety of sources.
Immediately upon learning this information, we took several steps to review the situation and bring in the right external partners to support our investigation.
While a number of these claims proved to be false extortion attempts, we did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability.
FriendFinder takes the security of its customer information seriously and will provide further updates as our investigation continues.
This is the second data breach at Friend Finder Network in the past 18 months.
The first, in May 2015, uncovered personal details for 3.5 million active users of the site, including questions on their sexual preferences—data which apparently wasn’t compromised this time around.
This post originated on Ars Technica UK