Adult Friend Finder & Penthouse Hacked

Adult dating and pornography site company Friend Finder Networks has been hacked, exposing the private details of more than 412m accounts and making it one of the largest data breaches ever recorded, according to monitoring firm Leaked Source.

The attack, which took place in October, resulted in email addresses, passwords, dates of last visits, browser information, IP addresses and site membership status across sites run by Friend Finder Networks being exposed.

The breach is bigger in terms of number of users affected than the 2013 leak of 359 million MySpace users’ details and is the biggest known breach of personal data in 2016. It dwarfs the 33m user accounts compromised in the hack of adultery site Ashley Madison and only the Yahoo attack of 2014 was larger with at least 500m accounts compromised.

Sex Hookup Site

Friend Finder Networks operates “one of the world’s largest sex hookup” sites Adult Friend Finder, which has “over 40 million members” that log in at least once every two years, and over 339m accounts. It also runs live sex camera site Cams.com, which has over 62m accounts, adult site Penthouse.com, which has over 7m accounts, and Stripshow.com, iCams.com and an unknown domain with more than 2.5m accounts between them.

Friend Finder Networks vice president and senior counsel, Diana Ballou, told ZDnet: “FriendFinder has received a number of reports regarding potential security vulnerabilities from a variety of sources. While a number of these claims proved to be false extortion attempts, we did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability.”

Ballou also said that Friend Finder Networks brought in outside help to investigate the hack and would update customers as the investigation continued, but would not confirm the data breach.

Penthouse.com’s chief executive, Kelly Holland, told ZDnet: “We are aware of the data hack and we are waiting on FriendFinder to give us a detailed account of the scope of the breach and their remedial actions in regard to our data.”

Leaked Source, a data breach monitoring service, said of the Friend Finder Networks hack: “Passwords were stored by Friend Finder Networks either in plain visible format or SHA1 hashed (peppered). Neither method is considered secure by any stretch of the imagination.”

The hashed passwords seem to have been altered to be all in lowercase, rather than case specific as entered by the users originally, which makes them easier to break, but possibly less useful for malicious hackers, according to Leaked Source.

Leaked Emails

Among the leaked account details were 78,301 US military email addresses, 5,650 US government email addresses and over 96m Hotmail accounts. The leaked database also included the details of what appear to be almost 16m deleted accounts, according to Leaked Source.

To complicate things further, Penthouse.com was sold to Penthouse Global Media in February. It is unclear why Friend Finder Networks still had the database containing Penthouse.com user details after the sale, and as a consequence exposed their details with the rest of its sites despite no longer operating the property.

It is also unclear who perpetrated the hack. A security researcher known as Revolver claimed to find a flaw in Friend Finder Networks’ security in October, posting the information to a now-suspended Twitter account and threatening to “leak everything” should the company call the flaw report a hoax.

This is not the first time Adult Friend Network has been hacked. In May 2015 the personal details of almost four million users were leaked by hackers, including their login details, emails, dates of birth, post codes, sexual preferences and whether they were seeking extramarital affairs.

David Kennerley, director of threat research at Webroot said: “This is attack on AdultFriendFinder is extremely similar to the breach it suffered last year. It appears to not only have been discovered once the stolen details were leaked online, but even details of users who believed they deleted their accounts have been stolen again. It’s clear that the organisation has failed to learn from its past mistakes and the result is 412 million victims that will be prime targets for blackmail, phishing attacks and other cyber fraud.”

Over 99% of all the passwords, including those hashed with SHA-1, were cracked by Leaked Source meaning that any protection applied to them by Friend Finder Networks was wholly ineffective.

Leaked Source said: “At this time we also can’t explain why many recently registered users still have their passwords stored in clear-text especially considering they were hacked once before.”

Peter Martin, managing director at security firm RelianceACSN said: “It’s clear the company has majorly flawed security postures, and given the sensitivity of the data the company holds this cannot be tolerated.”

Friend Finder Networks has not replied to a request for comment.

Guardian

 

« Why Science Couldn’t Predict a Trump Presidency
Four Amazing Cybersecurity Facts »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Infoblox

Infoblox

Infoblox solutions help businesses automate complex network control functions to reduce costs, increase security and maximize uptime.

AA Certification (AAC)

AA Certification (AAC)

AAC provide ISO Quality Management System certification services including ISO 27001.

HKCERT

HKCERT

HKCERT is the centre for coordination of computer security incident response for local enterprises and Internet Users in Hong Kong.

Callsign

Callsign

Callsign’s mission is to seamlessly power the identification of every web, mobile and physical interaction.

Incognito Forensic Foundation Lab (IFF Lab)

Incognito Forensic Foundation Lab (IFF Lab)

IFF Lab is a premier cyber and digital forensics lab in India that offers forensic services and solutions, cyber security analysis and assessment, IT support, training and consultation.

Raonsecure

Raonsecure

Raonsecure is one of Korea’s leading ICT security software companies – providing a variety of PC and mobile security solutions to financial institutions, government, and enterprise.

PreCog Security

PreCog Security

PreCog Security is a US based cybersecurity risk mitigation company. We specialize in helping you find, minimize and manage vulnerability risk within your product, network and process.

stackArmor

stackArmor

stackArmor specializes in compliance and security-focused solutions delivered using our Agile Cloud Transformation (ACT) methodology.

BOXX Insurance

BOXX Insurance

BOXX Insurance Inc. is a new type of insurance company for a new type of risk. Cyberboxx is the first fully-integrated cybersecurity and insurance solution for small-to-medium-sized businesses.

Air IT

Air IT

Air IT are a responsive, client-focused and award-winning Managed Service Provider, helping clients achieve success and transformation through their IT and communications.

NAK Consulting Services

NAK Consulting Services

NAK is helping organisations to create Secure, Agile IT Environments. Our goal is to be the trusted advisor and managed service partner for our clients.

Siren

Siren

Siren provides the leading Investigative Intelligence Platform to some of the world’s leading Law Enforcement, National Security and Cyber threat investigators.

Phylum

Phylum

Phylum provides powerful, automated software supply chain risk analysis that protects organizations, defends developers and enables secure innovation.

MAUSHIELD

MAUSHIELD

MAUSHIELD is the national platform for sharing cyber threat information and intelligence that can help organisations to improve their cybersecurity posture, minimize risks and prevent cyber-attacks.

ZEST Security

ZEST Security

The ZEST platform natively integrates into your technology stack to make efficient risk remediation possible.

Metrics that Matter (MTM)

Metrics that Matter (MTM)

Metrics that Matter redefines how organizations approach cybersecurity by offering unprecedented insight into the value of their assets to criminals and tailored action plans to protect.