Tell your adult friends: 412 million accounts exposed in Adult Friend Finder hack

Everybody else says it’s more difficult to make new friends as an adult, but that’s nearly the function behind the website AdultFriendFinder.com. If you’re a member, you already know that, and should probably know this: The Washington Post reports that the site has likely been hit with one of many largest data-breach attacks on record, potentially exposing the user information for more than 412 million accounts going back 20 years.

That’s more than 10 times how many accounts exposed into the Ashley Madison hack a year ago, which implicated 36 million men and women in charges of infidelity (or at least attempted infidelity). Like Ashley Madison, users of Adult Friend Finder would like connections which can be explicitly sexual in nature; unlike Ashley Madison, though, these so-called ‘friends aren’t necessarily looking to take action behind their spouse’s back. In fact, for the people into the site’s ‘swingers section, they truly are actually looking to take action in front of their spouse.

Anyway, very little information is available about the hack at this time aside from the fact that it happened, and that information, including usernames, emails, join dates, plus the date of a user’s last go to, was exposed. But with the flurry of media reports outing anyone even marginally famous with an Ashley Madison account that popped up last year, we may see similar reports popping up within the next couple of days. If you have an account regarding the site—or on Penthouse.com, Cams.com, Alt.com, OutPersonals, or any of the company’s array other dating/’dating sites—and don’t want anyone to see your masturbation material and/or awkward post-shower selfies, you’d best go check on that right now.

The information was first reported by LeakedSource, which describes itself as ‘a breach notification internet site that specializes in bringing hacking incidents towards the public eye. It offersn’t been confirmed by anyone at Adult Friend Finder’s parent company FriendFinder Networks, although a representative tells The Washington Post that it’s investigating the situation. The last time Adult Friend Finder was hacked was in May 2015, that will be really not that long ago at all.

The personal information of many people that have subscribed to the AdultFriendFinder site for the past 20 years was compromised in one of the largest cyber attacks in modern times.

The email addresses and passwords of 412 million accounts were exposed after the dating and dating platform fell victim towards the hack. The leaked information also incorporates the date of the last visit, browser information, and some purchasing patterns .

Describing itself whilst the world’s largest adult dating and content community, the AdultFriendFinder site is part of parent company FriendFinder Networks . In accordance with information from LeakedSource , the hackers reportedly obtained usage of the databases of the company’s different web pages, including information from 62 million users regarding the Cams.com page and 7 million regarding the Penthhouse site .

The incident occurred last October, according to LeakedSource reports, and has also affected more than 15 million deleted accounts , which, nonetheless, were still registered into the company’s database.

‘ In the past few weeks, FriendFinder has received a series of reports about potential security vulnerabilities from a variety of sources. Soon after receiving this information, we took several measures to examine the situation and have the appropriate exterior partners brought in to support our investigation, said Diana Ballou Vice President of Friend Finder Networks to the ZDNet site .

This attack has surpassed the one that occurred in 2015 resistant to the AshleyMadison site , in which the data of several thousand users were violated. Currently, the only hack that compares in size is the one that occurred against MySpace, which resulted in over 359 million leaked user accounts online.

It’s not yet clear who is behind the attack regarding the California-based company. Notably, this occurred round the same time that the security researcher known as Revolver revealed a security flaw into the AdultFriendFinder site, which would allow anyone to execute malicious code on their web server. Revolver denied any responsibility and instead blamed the users of a Russian hacking site .

It is often recommended that users registered on any of the Friend Finder Networks web pages should change their password immediately if they put it to use on other platforms.

Like all sectors — government, retail, finance and medical — the adult and porn businesses are feeling the consequences of not making security a priority, into the worst possible methods.

Namely, by getting hacked and pwned, hard. Take for example this week’s breach-bloodbath, in which FriendFinder Networks (FFN) lost their Sourcefire code to criminal hackers and put their users in serious risk. Combined with Ashley Madison’s many deceits, FFN also contributed to the deepening public mistrust about the very sensitive data exchange between adult companies and their consumers.

We learned this week that “sex and swinger” social network Adult FriendFinder was breached, along with most of its other sites. The FriendFinder Network Inc. (FFN) operates AdultFriendFinder.com, webcam sex-work site cams.com, Penthouse.com and a few others; a total of six databases were reported into the haul.

The hack and dump performed on FFN has exposed 412,214,295 accounts, according to breach notification site Leaked Origin, which disclosed the extent of the privacy disaster on Sunday. Leaked Source said “this data set will not be searchable by the general public on our main page temporarily for the time being.”

But as infosec weblog Salted Hash put it, “The point is, these records exist in multiple places online. They truly are being sold or shared with anyone who might have an interest in them.”

That’s more users than Twitter and a third of Facebook’s global membership. It’s not bigger than Yahoo’s abysmal security apocalypse, during which we just learned 500 million accounts were compromised in 2014. Yet FFN’s epic catastrophe far exceeds the likes of eBay (145M), Anthem (80M), Sony (77M), JP Morgan Chase (76M), Target (70M) and Home Depot (56M).

Making it worse when compared to a typical security fail is what’s into the data.

The snatched records contain usernames, email addresses and passwords — nearly all of which are visible in ordinary text. More than 900,000 accounts used the password “123456,” 101,046 used “password,” tens of thousands used words like “pussy” and “fuckme” — which we suppose is exactly what FriendFinder did towards the user by storing their passwords so recklessly.

But wait, there’s more embarrassment to be had by all. Stolen FriendFinder Networks files show that 78,301 accounts used a .mil email address, 5,650 used a .gov email. Telegraph reports addresses associated with the British government include seven gov.uk email addresses, 1,119 from the Ministry of Defence, 12 from Parliament, 54 UK police email addresses, 437 NHS ones and 2,028 from schools. Suffice to say, federal employees are in the category of pervs who need to make sure these are typicallyn’t reusing any of those bad passwords on other accounts.

As we discovered by files exposed into the Ashley Madison breach, FriendFinder wasn’t removing profiles that users believed to being closed or removed. The records being found by Leaked Source to contain 15,766,727 million accounts that were likely to happen deleted. They penned, “It is impossible to register an account using an email that’s formatted this way meaning the addition of ‘@deleted.com’ was done behind the scenes by Adult Friend Finder.”

This breach actually happened last month. Salted Hash first reported the advancement of a serious security issue with FFN then revealed the beginning of this massive database catastrophe.

In October, a researcher which went by the names “1×0123″ and “Revolver” posted screenshots on Twitter showing what’s known as a Local File Inclusion vulnerability on Adult FriendFinder. Revolver is known for finding adult website security issues, in addition they confirmed to Salted Hash that the flaw was being actively exploited. Straight away, Leaked Source began to receive files from FriendFinder’s databases — some 100 million records. Everyone involved believed this was just the beginning of a massive data breach.

After their October disclosure got FriendFinder’s attention, Revolver tweeted that FFN’s security issue was resolved and “no consumer information ever left their site” — which was plainly untrue. Their Twitter account is gone.

FriendFinder Network conceded in a press release that it was “addressing a security incident involving certain consumer usernames, passwords and email addresses” on Monday. It failed to acknowledge the range records exposed. Although FFN informed users which could be reading its press release to change their passwords, it still hasn’t notified its customers directly, and there are no notifications on any of its compromised web pages.

This was the second breach for the site in less than two years. In May 2015, Adult FriendFinder was hacked, plus the attackers exposed details of nearly four millions users. The compromised information included sexual preferences and personal details, whether they are gay or straight, and whether they would like extramarital affairs, along with email addresses, usernames, dates of birth, postcodes plus the unique internet addresses of users’ computers.

In that instance, TekSecurity had discovered the files on a darknet forum, and noted that AFF hadn’t reported the breach. They penned about the files saying, ” there is a ton of directly identifiable information (PII) sitting in a forum on the Darknet that has been viewed 1,756 times.”

Driving home the harm to consumers, the post explained, “It is unknown how many times the breached data files happen downloaded. Though the files were stripped of credit card data, it is still relatively easy to get in adult friend funder touch the dots and identify thousands upon numerous of users which subscribe to this adult site.”

Security is one area in which adult and porn sites are far behind, and no matter the method that you feel about sex work and adult entertainment, these are typically arenas in which strong security should be described as a priority for all involved. Porn industry trade organization Free Speech Coalition, for its part, is trying to lead the charge. They recently released a brief with the Center for Democracy and Technology (CDT) to try and push porn web sites to level up their secure connections and all use https. Right now, generally the adult sites that have better security are indies beyond your conventional industry, like queer porn sites and sex culture blogs (like mine).

Hopefully we don’t must have another OPM-of-adult security tragedy, like the FriendFinder debacle, to see the leading porn sites with the greater part of users get right up to speed into the fight against hack attacks. Right now, giants like Pornhub and Brazzers don’t have https.

Encouraging adult sites to make small changes for better security, from hookup sites such as for example FriendFinder to porn tube sites, is a larger undertaking than you’d think. The idea there is one “adult industry” is little more than that, a notion. In reality, it’s a wide variety of small business entrepreneurs and large legacy businesses, through a ton of independent contractors constantly flowing through the global network. All are operating without access to the regulated business tools and safe promotional channels every single other business in the field can use, of course. Because of the stigma.

That stigma also makes it a highly targeted sector. So, it’s refreshing to see organizations like the Center for Democracy and Technology trying to help coordinate security changes like https for such a controversial industry without judgement.

But in order for it to work, adult mega-empires like FriendFinder will need to stop hiding behind press releases and own up to their security shortcomings. They are going to have to be better than the businesses that aren’t forced to live-in the shadows, and they’ll need to do what those businesses aren’t doing: pay attention to hackers.