Security

Mega-Breach Exposes 412 Million AdultFriendFinder Accounts

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Follow on: Google +

Friend Finder Network breach includes Penthouse.com users and ‘deleted’ accounts

A data breach targeting dating and erotic media site Friend Finder Network has exposed the personal details of more than 412 million accounts, including more than 15 million that users had asked to be deleted.

The incident, reported by breach aggregator LeakedSource, occurred last month and affects 339 million users of AdultFriendFinder.com as well as subsidiaries Cams.com, iCams.com and Stripshow.com.

‘Deleted’ accounts

data encryptionMore than 7 million accounts linked to Penthouse.com are also included in the data, in spite of the fact that Friend Finder sold the site to Penthouse Global Media in February.

The dump includes 15 million accounts that users had asked to be deleted, but which had not been removed from the company’s records, LeakedSource said.

The number of records breached makes the hack the largest leak known to date, surpassing the 360 million users affected by an incident affecting 360 million MySpace users, which was carried out in 2012 but only came to light in May.

LeakedSource said that due to the nature of the data it wouldn’t make the cache searchable by Internet users, as it usually does. Several news agencies said they had obtained portions of the data and independently verified them.

Friend Finder describes AdultFriendFinder.com as “the world’s largest sex and swinger community”.

Last month a computer security researcher who uses pseudonyms including 1×0123 and Revolver published the details of a Local File Inclusion vulnerability in AdultFriendFinder.com, and the attack was carried out afterward using this bug, according to LeakedSource.

The researcher in question denied involvement in the attack, according to reports.

Passwords exposed

LeakedSource said it had been able to decode 99 percent of the passwords found in the databases, which were stored in plain text or using the weak SHA-1 hash function.

The data, which includes 20 years’ worth of information, comprises usernames, email addresses, date of last visit and membership data such as whether the user was a VIP member, what browser was used, the IP address last used to log in and whether the user had paid for items.

The email addresses include more than 5,000 US government addresses and more than 78,000 US military addresses, LeakedSource said.

Friend Finder was hacked last year, resulting in a breach that affected 4 million accounts, with data including sexual preference and whether the user was looking for an extramarital affair.

The October breach does not appear to contain details such as sexual preference, according to reports.

Friend Finder confirmed it had fixed an unspecified security vulnerability, and said it is investigating other bug reports, but declined to comment on the reported breach itself.

“Over the past several weeks, FriendFinder has received a number of reports regarding potential security vulnerabilities from a variety of sources,” the company stated. “FriendFinder takes the security of its customer information seriously and will provide further updates as our investigation continues.”

Penthouse Global Media said it was “aware of the data hack” and was “waiting on FriendFinder to give us a detailed account of the scope of the breach and their remedial actions in regard to our data”.

Following the hack of adultery site Ashley Madison last year some users said they received blackmail threats through the post.

Do you know all about security in 2016? Try our quiz!