A massive FriendFinder data breach has been discovered that impacts more than 412 million users of six adult-oriented friendship, dating, and porn websites. Six databases used by Friend Finder Network Inc., were hacked in October this year, with the hackers managing to steal credentials from hundreds of millions of accounts.
The worst hit was the adult dating website Adultfriendfinder.com, which is touted as the world’s largest sex and swinger community. 339,774,493 current and former users of the site have had their account details exposed. Since the site did not delete the credentials of lapsed users of the site when membership expired, their details have also been obtained by hackers. Account details from the past 20 years have been exposed.
62,668,630 users of Cams.com have also had their details exposed. Cams.com is a site that lets users meet models via webcams for live sex chat. 7.176,877 users of Penthouse.com have had their details exposed, as have 1,423,192 users of Stripshow.com and 1,135,731 users of iCams.com. A further 35,372 users of an undisclosed domain that was part of the Friend Finder network have also been affected. In total, six databases were hacked and 412,214,295 account details were stolen.
That makes the FriendFinder data breach the largest of 2016 by some distance, far bigger than the 117 million record breach at LinkedIn and the 360 million-record breach at MySpace. The latest FriendFinder data breach is more than 117 times the size of the FriendFinder data breach of May 2015.
According to Leaked Source, some of the email addresses used to register accounts are .mil (military) or .gov (government). In total, 78,301 military email addresses and 5,650 government email addresses were exposed. Those accounts will likely be targeted by phishers. However, given the nature of the websites – many of which are used for extramarital sex hookups – there is considerable potential for extortion.
The data that is understood to have been stolen in the attack include usernames, email addresses, and plaintext passwords, although some passwords were hashed with SHA1 with pepper. Even though some passwords were hashed they are not considered to be particularly secure.
According to Leaked Source, 99% of the stolen passwords have now been cracked. One positive is the passwords had all been converted to lowercase which will make the passwords less useful for hacking accounts where users have recycled passwords, but only marginally. Malicious hackers intent on compromising other accounts are unlikely to be hindered to any large degree by the conversion to lowercase.
The hackers were able to gain access to the databases by exploiting local file inclusion (LFI) vulnerabilities. On October 18, a researcher with the handle Revolver (1×0123 on Twitter) announced the discovery of LFI vulnerabilities in a module on the production servers used by the Friend Finder network. The vulnerabilities allow hackers to include files located elsewhere on the server into the output of an application. Screenshots of the vulnerabilities were published online by Revolver that demonstrated the flaws.
While Revolver later sent a tweet saying the vulnerabilities had been resolved, reports started emerging suggesting a massive data breach had occurred. At first it was thought to involve around 100 million records, although Leaked Source has now confirmed that it was much bigger than initially thought. Source code from the FriendFinder Networks production environment has also been leaked along with public/private key pairs. However, the FriendFinder Network has not confirmed publicly that a breach has occurred.
Security experts are warning all users of the above websites to assume that their accounts have been compromised and to take action to mitigate risk, including changing passwords on other sites and social media platforms if passwords have been recycled.