412m AdultFriendFinder network accounts exposed in massive breach

14 Nov 2016

Man hiding under laptop. Image: Kaspars Grinvalds/Shutterstock

A major data breach against FriendFinder Networks – responsible for AdultFriendFinder and others – has left all of its 412m account holders’ details completely exposed.

Describing itself as the “world’s largest sex and swinger community” website, FriendFinder Networks now follows in the footsteps of the Ashley Madison website as being on the end of a major data breach for a very personal service.

According to Leaked Source, the hack against the company’s accounts – largely consisting of users of the site AdultFriendFinder – has resulted in the exposure of personal details of 339m account holders.

Two decades worth of data

The company’s data housekeeping has also been exposed, as among that number are 15m deleted accounts not removed from its databases.

Additionally, the company’s other two websites Cams.com and Penthouse.com have also been breached, resulting in 62m accounts and 7m accounts accessed by the hackers, respectively.

All of this data adds up to nearly two decades worth of user information and follows on from a hack against the company’s servers as recently as last year, which resulted in the revealing of data from 4m customers.

Based on the data obtained by Leaked Source, the discovery was made by a security researcher going by the name Revolver, who revealed in October a local file intrusion vulnerability that would allow a hacker to remotely upload a malicious file on to AdultFriendFinder’s servers.

Personal information, but not very personal

While the perpetrator remains unconfirmed, Revolver has suggested that the source of the hack lies within an underground community of Russian hackers.

Unlike the hack last year, which contained very sensitive information like a person’s sexual preference or interest in infidelity, analysis of a portion of the latest data conducted through ZDNet reveals it to be more basic account information, but it also includes passwords.

Worryingly for users of the affected sites, the use of an older SHA-1 hash encryption means it was possible that 99pc of passwords could be read.

FriendFinder Networks responds

In response to the breach, FriendFinder Networks has issued a statement admitting a vulnerability existed.

“While a number of these claims proved to be false extortion attempts, we did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability,” said the company’s VP and senior counsel, Diana Ballou.

“FriendFinder takes the security of its customer information seriously and will provide further updates as our investigation continues.”

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com