The account information of over 412 million FriendFinder users has been compromised in a colossal breach that raided six of the adult-dating company’s databases.
FriendFinder Networks host a range of adult-oriented websites that offer a range of services, from dating to livestream sex chat. The massive leak exposes the usernames, member information, email addresses, passwords and IP addresses of millions of past and current users.
Among the user information are over 5,000 government registered email addresses, 78,000 military email addresses and information on over 15 million un-purged deleted accounts stretching back 20 years.
It’s feared that this information, now available on dark web marketplaces, could be used by criminals to potentially identify individuals and target them for extortion or phishing—especially given the nature of the services that FriendFinder provides.
In a statement to the Daily Dot, a FriendFinder Network spokesperson said the company has taken “several steps to review the situation and bring in the right external partners to support our investigation.” The company says its investigation is “ongoing” and will “continue to ensure all potential and substantiated reports of vulnerabilities are reviewed and if validated, remediated as quickly as possible.”
Security researchers at LeakedSource disclosed the scope of the hack in a blog published on Sunday. Without publicly publishing the data, the researchers verified that 339 million users of the AdultFriendFinder service, which markets itself as the “world’s largest sex and swinger community”, were affected. A further 72 million accounts belong to users of FriendFinder’s other adult-oriented verticals, including Cams.com, Stripshow.com, iCams.com, and Penthouse.
The vulnerability had been pointed out by a security researcher known as 1×0123, or Revolver, in mid-October. Posting screenshots on a since-suspended Twitter feed, 1×0123 identified a Local File Inclusion exploit. It was this vulnerability that is alleged to have resulted in the hack.
@real_1x0123 so, is this the same LFI vulnerability you found last month that got them?
— Adam Shepherd (@AdamShepherdUK) November 14, 2016
The vulnerability meant that sensitive login information of millions of users had been stored mostly in plaintext, and in some places encrypted with a dated SHA-1 hash function. The SHA-1 algorithm is not considered secure by current cryptographic standards.
ZDNet was able to independently verify the authenticity of LeakedSource’s report after being given access to a sample of the leaked database. After contacting a number of email addresses, individuals confided that they were or had been account holders at one of the FriendFinder websites and one remarked that he was “unsurprised” by the breach.
Of course, the skepticism is not unwarranted because this is not the first time that FriendFinder has succumbed to a serious hack. In May 2015, over 3.5 million of the company’s users had their data stolen in a hack reminiscent of that which adult-dating site Ashley Madison suffered. However, this latest breach exceeds all others in sheer size.
FriendFinder Network has vowed to provide more information into the breach if it becomes available.
Update: 10:55am CT, Nov. 14: Added comment from FriendFinder Network.
H/T ZDNet