Tell your adult friends: 412 million accounts exposed in Adult Friend Finder hack
Tell your adult friends: 412 million accounts exposed in Adult Friend Finder hack
Everybody says it’s more difficult to make new friends as an adult, but that’s not exactly the function behind the website AdultFriendFinder.com. If you’re a member, you already know that, and should probably know this: The Washington Post reports that the site has likely been hit with one of the largest data-breach attacks on record, potentially exposing the user information for more than 412 million accounts going back 20 years.
That’s more than 10 times the number of accounts exposed in the Ashley Madison hack last year, which implicated 36 million people in charges of infidelity (or at least attempted infidelity). Like Ashley Madison, users of Adult Friend Finder are seeking connections that are explicitly sexual in nature; unlike Ashley Madison, though, these so-called ‘friends aren’t necessarily looking to do it behind their spouse’s back. In fact, for the people in the site’s ‘swingers section, they’re actually looking to do it in front of their spouse.
Anyway, very little information is available about the hack at the moment aside from the fact that it happened, and that information, including usernames, emails, join dates, plus the date of a user’s last visit, was exposed. But with the flurry of media reports outing anyone even marginally famous with an Ashley Madison account that popped up last year, we may see similar reports popping up within the next couple of days. And when you have an account on the site—or on Penthouse.com, Cams.com, Alt.com, OutPersonals, or any of the company’s countless other dating/’dating sites—and don’t want anyone to see your masturbation material and/or awkward post-shower selfies, you’d best go check on that right now.
The information was first reported by LeakedSource, which describes itself as ‘a breach notification website that specializes in bringing hacking incidents to the public eye. It hasn’t been confirmed by anyone at Adult Friend Finder’s parent company FriendFinder Networks, although a representative tells The Washington Post that it’s investigating the situation. The last time Adult Friend Finder was hacked was in May 2015, that is really not that long ago at all.
The personal information of many people who have subscribed to the AdultFriendFinder site for the past 20 years has been compromised in one of the largest cyber attacks in recent years.
The email addresses and passwords of 412 million accounts were exposed after the dating and dating platform fell victim to the hack. The leaked information also includes the date of the last visit, browser information, and some purchasing patterns .
Describing itself due to the fact world’s largest adult dating and content community, the AdultFriendFinder site is part of parent company FriendFinder Networks . According to information from LeakedSource , the hackers reportedly obtained access to the databases of the company’s different web sites, including information from 62 million users on the Cams.com page and 7 million on the Penthhouse site .
The incident occurred last October, according to LeakedSource reports, and has also affected more than 15 million deleted accounts , which, however, were adultfriendfinder comm still registered in the company’s database.
‘ In the past few weeks, FriendFinder has received a series of reports about potential security vulnerabilities from a variety of sources. Immediately after receiving this information, we took several steps to examine the situation and have the appropriate external partners brought in to support our investigation, said Diana Ballou Vice President of Friend Finder Networks to the ZDNet site .
This attack has surpassed the one that occurred in 2015 from the AshleyMadison site , in which the data of several thousand users were violated. Currently, the only hack that compares in size is the one that occurred against MySpace, which resulted in over 359 million leaked user accounts online.
It is not yet clear who is behind the attack on the California-based company. Notably, this occurred around the same time that the security researcher known as Revolver revealed a security flaw in the AdultFriendFinder site, which would allow anyone to execute malicious code on their web server. Revolver denied any responsibility and instead blamed the users of a Russian hacking site .
It has been recommended that users registered on any of the Friend Finder Networks web sites should change their password immediately if they use it on other platforms.
Like all sectors — government, retail, finance and healthcare — the adult and porn businesses are feeling the consequences of not making security a priority, in the worst possible ways.
Namely, by getting hacked and pwned, hard. Take for example this week’s breach-bloodbath, in which FriendFinder Networks (FFN) lost their Sourcefire code to criminal hackers and put their users in serious risk. Combined with Ashley Madison’s many deceits, FFN also contributed to the deepening public mistrust about the very sensitive data exchange between adult companies and their consumers.
We found out this week that “sex and swinger” social network Adult FriendFinder was breached, along with all of its other sites. The FriendFinder Network Inc. (FFN) operates AdultFriendFinder.com, webcam sex-work site cams.com, Penthouse.com and a few others; a total of six databases were reported in the haul.
The hack and dump performed on FFN has exposed 412,214,295 accounts, according to breach notification site Leaked Source, which disclosed the extent of the privacy disaster on Sunday. Leaked Source said “this data set will not be searchable by the general public on our main page temporarily for the time being.”
But as infosec blog Salted Hash put it, “The point is, these records exist in multiple places online. They’re being sold or shared with anyone who might have an interest in them.”
That’s more users than Twitter and a third of Facebook’s global membership. It’s not bigger than Yahoo’s abysmal security apocalypse, during which we just found out 500 million accounts were compromised in 2014. Yet FFN’s epic catastrophe far exceeds the likes of eBay (145M), Anthem (80M), Sony (77M), JP Morgan Chase (76M), Target (70M) and Home Depot (56M).
Making it worse than a typical security fail is what’s in the data.
The snatched records contain usernames, email addresses and passwords — nearly all of which are visible in plain text. More than 900,000 accounts used the password “123456,” 101,046 used “password,” tens of thousands used words like “pussy” and “fuckme” — which we suppose is exactly what FriendFinder did to the user by storing their passwords so recklessly.
But wait, there’s more embarrassment to be had by all. Stolen FriendFinder Networks files show that 78,301 accounts used a .mil email address, 5,650 used a .gov email. Telegraph reports addresses associated with the British government include seven gov.uk email addresses, 1,119 from the Ministry of Defence, 12 from Parliament, 54 UK police email addresses, 437 NHS ones and 2,028 from schools. Suffice to say, federal employees are in the category of pervs who need to make sure they aren’t reusing any of those bad passwords on other accounts.
As we discovered by files exposed in the Ashley Madison breach, FriendFinder wasn’t removing profiles that users believed to happen closed or removed. The records happen found by Leaked Source to contain 15,766,727 million accounts that were supposed to have been deleted. They wrote, “It is impossible to register an account using an email that’s formatted this way which means the addition of ‘@deleted.com’ was done behind the scenes by Adult Friend Finder.”
This breach actually happened last month. Salted Hash first reported the breakthrough of a serious security issue with FFN then revealed the beginning of this massive database catastrophe.
In October, a researcher who went by the names “1×0123″ and “Revolver” posted screenshots on Twitter showing what’s known as a Local File Inclusion vulnerability on Adult FriendFinder. Revolver is known for finding adult website security issues, plus they confirmed to Salted Hash that the flaw was being actively exploited. Right away, Leaked Source began to receive files from FriendFinder’s databases — some 100 million records. Everyone involved believed this was just the beginning of a massive data breach.
After their October disclosure got FriendFinder’s attention, Revolver tweeted that FFN’s security issue was resolved and “no customer information ever left their site” — which was clearly untrue. Their Twitter account has become gone.
FriendFinder Network conceded in a press release that it was “addressing a security incident involving certain customer usernames, passwords and email addresses” on Monday. It did not acknowledge the amount of records exposed. Although FFN recommended users who might be reading its press release to change their passwords, it still hasn’t notified its customers directly, and there are no notifications on any of its compromised web sites.
This was the second breach for the site in less than two years. In May 2015, Adult FriendFinder was hacked, plus the attackers exposed details of nearly four millions users. The compromised information included sexual preferences and personal details, whether they are gay or straight, and whether they are seeking extramarital affairs, along with email addresses, usernames, dates of birth, postcodes plus the unique internet addresses of users’ computers.
In that instance, TekSecurity had discovered the files on a darknet forum, and noted that AFF hadn’t reported the breach. They wrote about the files saying, ” there is a ton of really identifiable information (PII) sitting in a forum on the Darknet that has been viewed 1,756 times.”
Driving home the harm to consumers, the post explained, “It is unknown how many times the breached data files have been downloaded. Though the files were stripped of credit card data, it is still relatively easy to connect the dots and identify thousands upon a large number of users who subscribe to this adult site.”
Security is one area in which adult and porn sites are far behind, and no matter how you feel about sex work and adult entertainment, they are arenas in which strong security should be a priority for all involved. Porn industry trade association Free Speech Coalition, for its part, is trying to lead the charge. They recently released a brief with the Center for Democracy and Technology (CDT) to try and push porn sites to level up their secure connections and all use https. Right now, generally the adult sites that have better security are indies outside the mainstream industry, like queer porn sites and sex culture blogs (like mine).
Hopefully we don’t need to have another OPM-of-adult security tragedy, like the FriendFinder debacle, to see the leading porn sites with the majority of users get up to speed in the fight against hack attacks. Right now, giants like Pornhub and Brazzers don’t have https.
Encouraging adult sites to make small changes for better security, from hookup systems such as FriendFinder to porn tube sites, is a larger undertaking than you’d think. The idea that there is one “adult industry” is little more than that, an idea. In reality, it’s a wide variety of small business entrepreneurs and large legacy businesses, having a ton of independent contractors constantly flowing through the global network. All are operating without access to the regulated business tools and safe promotional channels every other business on the planet can use, of course. Because of the stigma.
That stigma also makes it a highly targeted sector. So, it’s refreshing to see organizations like the Center for Democracy and Technology trying to help coordinate security changes like https for such a controversial industry without judgement.
But in order for it to work, adult mega-empires like FriendFinder will need to stop hiding behind press releases and own up to their security shortcomings. They’ll need to be better than the businesses that aren’t forced to inhabit the shadows, and they’ll need to do what those businesses aren’t doing: listen to hackers.