Adult dating service company Friend Finder Network has reportedly been hacked, with over 412 million accounts, e-mail addresses and passwords from their websites made available on criminal marketplaces. Notably, the database does not include more detailed personal information, but could still be used to confirm whether a person was a user of the service.
Breach notification site LeakedSource first reported the attack, indicating that over 300 million AdultFriendFinder accounts were affected, as well as over 60 million accounts from Cams.com. Other company holdings, such as Penthouse, Stripshow, and iCams were also breached, for a total of 412,214,295 affected users.
The company kept 15 million deleted user accounts
The hack also revealed that the company had kept information on 15 million accounts that users had deleted, as well as information on users for assets it no longer owned, such as Penthouse. By comparison, the Ashley Madison hack that took place in July 2015 revealed 32 million accounts, although that attack was also accompanied by a more aggressive extortion campaign.
According to CSO Online, a security researcher going by the name Revolver uncovered Local File Inclusion vulnerabilities on the site in October. Shortly thereafter, Friend Finder Network's Vice President, and Senior Counsel of Corporate Compliance & Litigation, Diana Lynn Ballou provided CSO Online with a statement: "We are aware of reports of a security incident, and we are currently investigating to determine the validity of the reports." This isn't the first time AdultFriendFinder has run into trouble: in May 2015, 3.5 million user accounts were exposed in another hack.
User data was stored in plain visible format or with the insecure secure hash algorithm 1 (SHA-1)
According to LeakedSource, Friend Finder Network had stored their user passwords in plain visible format, or with with Secure Hash algorithm 1 (SHA-1), which is not considered secure. According to ZDNet, which obtained a portion of the database and confirmed its legitimacy, the leaked information "does not appear to contain sexual preference data, unlike the 2015 breach." However, the site was able to see account usernames, e-mails, passwords, the last login, IP addresses, browser information and other information.
Friend Finders Network did disclose to ZDNet that it had been aware of vulnerabilities and had taken steps to correct it. Reached by phone, a company representative noted that they could not disclose information about the breach, but that they would be in touch. We will update this story if we hear back.