Popular adult dating site Adult Friend Finder, which bills itself as the “World’s Largest Sex & Swinger Community,” has exposed the account data of over 412 million users, in what appears to be one of the largest data breaches of 2016.
This is just the latest breach of Adult Friend Finder, following a high-profile hack of the site in May 2015 that led to the leaking of 4 million records.
The breach reportedly occurred in October, when hackers gained entry to databases Adult Friend Finder parent company FriendFinder Networks by using a recently exposed Local File Inclusion Exploit.
Officials at Adult Friend Finder said that they were warned of potential vulnerabilities and took steps to prevent a data breach.
“Over the past several weeks, Friend Finder has received a number of reports regarding potential security vulnerabilities,” said FriendFinder Networks vice president Diana Ballou, in an interview with the Telegraph. “Immediately upon learning this information, we took several steps to review the situation and bring in the right external partners to support our investigation.”
“While a number of these claims proved to be false extortion attempts, we did identify and fix a vulnerability.”
What steps were taken, and the vulnerability they fixed, is unclear, as hackers were able to exploit Friend Finder’s network, and gain access to emails, usernames, and passwords for a total of 412,214,295 accounts.
Users were affected across six domains owned by FriendFinder Networks, according to a report from breach notification site LeakedSource, which first made news of the breach public.
Below is a full breakdown of breached sites, courtesy of LeakedSource.
- 339,774,493 users
- “World’s largest sex & swinger community”
- 62,668,630 users
- “Where adults meet models for sex chat live through webcams”
- 7,176,877 users
- Adult magazine akin to Playboy
- 1,423,192 users
- Another 18+ webcam site
- 1,135,731 users
- “Free Live Sex Cams”
- Unknown domain
- 35,372 users
Of the 412 million accounts exposed on the breached sites, 5,650 .gov email addresses have been used to register accounts, which could lead to some awkward workplace conversations. Another 78,301 .mil emails were used to register accounts.
Passwords stored by Friend Finder Networks were either in plain visible format or SHA1 hashed, both methods that are considered dangerously insecure by experts. Furthermore, hashed passwords were changed to all lowercase before storage, according to LeakedSource, which made them much easier to attack.
LeakedSource published a list of the most common passwords found in the breach, and in a depressingly familiar story, ‘123456’ and ‘12345’ took the top spots with 900 thousand and 635 thousand instances, respectively.
Latest posts by Jeff Edwards (see all)
- The Identity and Access Management Blogs We’re Reading - February 17, 2017
- Microsoft and SailPoint Partner to Deliver Governance for Azure AD - February 15, 2017
- 11 AWS Identity Management Best Practices to Live By - February 13, 2017