AdultFriendFinder hack 'exposes 412 million users'

Account details were reportedly stored in plaintext

A hook-up and dating site company has allegedly been hacked, exposing over 412 million user accounts.

FriendFinder Networks, which operates sites including Adult FriendFinder, Cams.com and MillionaireMate, has been hit with a massive hack, according to breach tracking site Leaked Source.

While the most common accounts included in the data dump were from adultfriendfinder.com and cams.com, with more than 339 million and 62 million respectively, there were also more than seven million account credentials from penthouse.com, a domain which the company sold back in February.

Advertisement - Article continues below

Leaked Source also found more than 15 million emails in the database in the format of "email@address.com@deleted1.com". The site claimed that signing up with an email in this format is impossible, saying that the '@deleted' suffix was added by FriendFinder Networks.

"We've seen this situation many times before and it likely means these were users who tried to delete their account[s]," Leaked Source said. "The data is obviously still kept around because, you know, we're looking at it."

A total of at least 125 million passwords were stored in plaintext. Even those that were encrypted were hashed with SHA1, an encryption method that major vendors have discontinued due to the ease with which it can be cracked.

Advertisement
Advertisement - Article continues below

The existence of a Local File Inclusion (LFI) vulnerability in FriendFinder Networks' database was brought to the attention of the company last month by a security researcher known on Twitter as 1x0123 (now real1x0123).

Advertisement - Article continues below

They told IT Pro today that the attackers used this same security flaw to infiltrate the company.

IT Proapproached FriendFinder Networks to ask if and how the breach occurred, and for comment on Leaked Source's claims. In a statement, the company did not elaborate on the nature of the vulnerability but confirmed it has opened a security investigation.

"Over the past several weeks, we have received a number of reports regarding potential security vulnerabilities from a variety of sources," FriendFinder Networks said in its statement, emailed to IT Pro. "Immediately upon learning this information, we took several steps to review the situation and bring in the right external partners to support our investigation. Our investigation is ongoing but we will continue to ensure all potential and substantiated reports of vulnerabilities are reviewed and if validated, remediated as quickly as possible."

It added: "FriendFinder takes the security of its customer information seriously and is in the process of notifying affected users to provide them with information and guidance on how they can protect themselves. We will provide further updates as our investigation continues."

Advertisement - Article continues below

Picture credit: Bigstock

This story was originally published at 12.33pm on 14 November. It was updated at 5.24pm later that day with Friend Finder Networks' statement.

19/10/2016:Adult FriendFinder 'has a serious security flaw'

Hook-up and dating site Adult FriendFinder has a serious database vulnerability that could reveal usernames, passwords and other information, it has been claimed.

The suggestion of a security flaw first came from self-styled "underground researcher" 1x0123 on Tuesday night, who posted on Twitter a screen grab that suggested Adult FriendFinder has a Local File Inclusion (LFI) vulnerability.

Researcher 1x0123 wrote: "F**kload of databases with same user/password + runing as root".

Later he or she tweeted: "No reply from#adulfriendfinder.. time to get some sleep they will call it hoax again and i will f**king leak everything".

While there is currently no suggestion of a public data leak, the situation could prove very serious for the company if it is real; a leak would expose vulnerable data that is both highly personal and potentially embarassing.

Advertisement - Article continues below

Diana Lynn Ballou, FriendFinder Networks' VP and senior counsel of corporate compliance and litigation, emailedIT Proa statement that read: "We are aware of reports of a security incident, and we are currently investigating to determine the validity of the reports. If we confirm that a security incident did occur, we will work to address any issues and notify any customers that may be affected."

The scenario is highly reminiscent of the Ashley Madison hack last year. During that data breach, the details of around 37 million users worldwide were compromised, with a number of people's usernames, login details and other credentials posted online.

This article was originally published on 19 October at 10.26am, and updated at 16.06pm to include FriendFinder's statement.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Recommended

Visit/security/hacking/356478/researchers-detail-tetrade-family-of-brazilian-banking-trojans
hacking

Researchers detail Tetrade family of Brazilian banking trojans

16 Jul 2020
Visit/security/ethical-hacking/356252/poorly-secured-banking-apps-lead-to-cyber-threats
ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020
Visit/security/malware/356231/most-malware-came-through-https-connections-in-q1-2020
malware

Most malware came through HTTPS connections in Q1 2020

25 Jun 2020
Visit/security/phishing/356211/phishing-attacks-target-unsuspecting-wells-fargo-customers
phishing

Phishing attacks target unsuspecting Wells Fargo customers

24 Jun 2020

Most Popular

Visit/business-strategy/careers-training/356422/ibm-job-ad-calls-for-12-year-experience-with-6-year-old
Careers & training

IBM job ad calls for 12-years of experience with six-year-old Kubernetes

13 Jul 2020
Visit/development/containers/356391/the-rise-of-containers
Sponsored

The rise of containers

9 Jul 2020
Visit/business/business-operations/356395/nvidia-overtakes-intel-as-most-valuable-us-chipmaker
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020