Adult Friend Finder Hacked Exposing Over 400 Million Users – Lousy Password Habits Continue
LeakedSource claims it has obtained over 400 million stolen user accounts from the adult dating and pornography site company Friend Finder Networks, Inc. Hackers attacked the company in October, resulting in one of the largest data breaches ever recorded.
AdultFriendFinder hacked - over 400 million users' data exposed
The hack of adult dating and entertainment company has exposed more than 412 million accounts. The breach includes 339 million accounts from AdultFriendFinder.com, which sports itself as the "world's largest sex and swinger community." Similar to Ashley Madison drama in 2015, the hack also leaked over 15 million supposedly deleted accounts that weren't purged from the databases.
The attack exposed email addresses, passwords, browser information, IP addresses, date of last visits, and membership status across sites run by the Friend Finder Networks. FriendFinder hack is the biggest breach in terms of number of users since the leak of 359 million MySpace users accounts. The data appears to come from at least six different websites operated by Friend Finder Networks and its subsidiaries.
Over 62 million accounts are from Cams.com, nearly 2.5 million from Stripshow.com and iCams.com, over 7.1 million from Penthouse.com, and 35,000 accounts from an unidentified domain. Penthouse was sold earlier in the year to Penthouse Global Media, Inc. It is unclear why Friend Finder Networks still has the database even though it shouldn't be operating the property it has already sold.
Biggest problem? Passwords! Yep, "123456" doesn't help you
Friend Finder Networks was apparently following the worst security measures - even after an earlier hack. Many of the passwords leaked in the breach are in clear text. The rest were converted to lowercase and stored as SHA1 hashes, which are easier to crack too. "Passwords were stored by Friend Finder Networks either in plain visible format or SHA1 hashed (peppered). Neither method is considered secure by any stretch of the imagination," LS said.
Coming to the user side of the equation, the stupid password habits continue. According to LeakedSource, the top three most used passwords are "123456," "12345" and "123456789." Seriously? To help you feel better, your password would have been exposed by the Network, no matter how long or random it was, thanks to weak encryption policies.
LeakedSource claims it has managed to crack 99% of the hashes. The leaked data can be used in blackmailing and ransom cases, among other crimes. There are 5,650 .gov accounts and 78,301 .mil accounts, which may be specifically targeted by criminals.
The vulnerability used in the AdultFriendFinder breach
The company said the attackers used a local file inclusion vulnerability to steal user data. The vulnerability was disclosed by a hacker a month ago. "LFI results in data being printed to the screen," CSO had reported last month. "Or they can be leveraged to perform more serious actions, including code execution. This vulnerability exists in applications that don’t properly validate user-supplied input, and leverage dynamic file inclusion calls in their code."
"FriendFinder has received a number of reports regarding potential security vulnerabilities from a variety of sources," Friend Finder Networks VP and senior counsel, Diana Ballou, told ZDNet. "While a number of these claims proved to be false extortion attempts, we did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability."
Last year, Adult Friend Finder confirmed 3.5 million users accounts had been compromised in an attack. The attack was "revenge-based," as the hacker demanded $100,000 ransom money.
Unlike previous mega breaches that we have seen this year, the breach notification site has decided not to make the compromised data searchable on its website because of the possible repercussions for users.