The latest in massive data breaches: adult dating and entertainment company Adult Friend Finder Network has had the information of over 412 million accounts comprised in an attack on their database. The breach included “339 million accounts from AdultFriendFinder.com, which the company promotes as the ‘world's largest sex and swinger community.’”
78, 301 of those accounts had military email addresses, and 5,650 were government email addresses. What is more, close to 16 million of the accounts were accounts that had previously been deleted by users, but were not expunged from the databases.
It was the largest breach ever recorded, according to Leaked Source. Email addresses, passwords, dates of last visits, browser information, IP addresses, and site membership status of users across Adult Friend Finders’ network of sites were leaked.
This included users of the site penthouse.com – though Adult Friend Finder sold this website to Penthouse Global Media in February. By keeping user details in their database even after the penthouse.com sale, Adult Friend Finder “exposed their details with the rest of its sites despite no longer operating the property.”
This is not the first time that the company has been a victim of an attack. In May 2015, information from over four million users was leaked, including, “their login details, emails, dates of birth, post codes, sexual preferences and whether they were seeking extramarital affairs.”
According to Stu Sjouwerman, “This hack is very similar to the data breach they had last year. Their procedures and policies are severely lacking... Adult Friend Finder had failed to learn from their mistakes and now 412 million people are high-value targets for blackmail, phishing attacks and other cybercrime. This is ten times worse than the Ashley Madison hack.”
Despite being hacked in 2015, the company still stored usernames and passwords in plain visible format or in SHA1 hashed format. Neither method is considered secure, and “the hashed passwords seem to have been changed to all lowercase before storage which made them far easier to attack but means the credentials will be slightly less useful for malicious hackers to abuse in the real world.”
Though she did not outright confirm the data breach, Friend Finder Networks vice president and senior counsel, Diana Ballou, told ZDnet: “Friend Finder has received a number of reports regarding potential security vulnerabilities from a variety of sources. While a number of these claims proved to be false extortion attempts, we did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability.”
Because of the sensitive nature of the information, including whether or not users are having extramarital affairs, user details are a prime target for cyber criminals to use as leverage. Adult Friend Finder users could now find themselves victims of extortion, social engineering, phishing, and blackmail. Be aware of phishing emails especially, which would claim people could go to fake websites to see if their or their spouse’s information was part of the hack, when it reality it is just a scam.
Peter Martin, managing director at security firm RelianceACSN said: “It’s clear the company has majorly flawed security postures, and given the sensitivity of the data the company holds this cannot be tolerated.”
No matter the nature of their services, companies of all types should use data breaches like these as a warning that no one is safe from data breaches, and it vital to use the best possible security practices.
(images curesty of Google images)