What has happened?The AdultFriendFinder website appears to have been hacked, exposing the personal information of hundreds of millions of user accounts.What is AdultFriendFinder?I don’t want to be indelicate, so I’ll just tell you it’s strapline: “Hookup, Find Sex or Meet Someone Hot Now”.Oh! So like Ashley Madison?Yes, very much so. And we all know what a big story that was, how extortionists attempted to blackmail users, and how lives were damaged as a result. Fortunately, information about individuals’ sexual preferences do not appear to have been included in the exposed databases.Still, it sounds nasty – and there clearly remains the potential for blackmail. Are there any .gov and .mil email addresses associated with the exposed accounts in this latest breach?I’m afraid so. Of the 412 million accounts exposed on the breached sites, in 5,650 cases, .gov email addresses have been used to register accounts. The same goes for 78,301 .mil email addresses.Who discovered that AdultFriendFinder had suffered a data breach? And what sites are affected?The news was made public by LeakedSource, who said that the hackers targeted Friend Finder Network Inc, the parent company of AdultFriendFinder, in October 2016 and stole data that stretched back over the last 20 years.Affected sites include not just AdultFriendFinder but also adult webcam sites Cams.com, iCams.com, and Stripshow.com, as well as Penthouse.com.At the time of writing, AdultFriendFinder has not published any statement on its website about the security breach.Penthouse.com?The website of the famous men’s magazine, which was founded in the 1960s. Curiously, Penthouse.com was sold by Friend Finder Network Inc to a different company, Penthouse Global Media Inc., in February 2016, so some eyebrows may be raised as to how the hackers were able to steal information of Penthouse.com’s users from Friend Finder Network’s systems in October 2016.Penthouse Global Media’s Kelly Holland told ZDNet that her company was “aware of the data hack and we are waiting on FriendFinder to give us a detailed account of the scope of the breach and their remedial actions in regard to our data.”How did the hackers get in?CSO Online reported last month that a vulnerability researcher known as “1×0123” or “Revolver” had uncovered Local File Inclusion (LFI) flaws on the AdultFriendFinder site that could have allowed access to internal databases.It’s possible that other hackers might have used the same flaw to gain access.In an email to ZDNet, AdultFriendFinder VP Diana Ballou confirmed that the company had recently been patching vulnerabilities that had been brought to its attention:“Over the past several weeks, FriendFinder has received a number of reports regarding potential security vulnerabilities from a variety of sources. Immediately upon learning this information, we took several steps to review the situation and bring in the right external partners to support our investigation. While a number of these claims proved to be false extortion attempts, we did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability. FriendFinder takes the security of its customer information seriously and will provide further updates as our investigation continues.”Are passwords at risk too?Yes. It appears that many of the passwords appear to have been stored in the database in plaintext. Also, most of the others were hashed weakly using SHA1 and have already been cracked.A quick look at the passwords that have been exposed, sorted by popularity, tells a familiarly depressing tale.
Those are terrible passwords! Why do people choose such lousy passwords?Maybe they created the accounts long ago before data breaches became such a regular headline in the newspapers. Maybe they still haven’t learned the benefit of running a password manager that generates random passwords and stores them securely, meaning you don’t have to remember them. Maybe they just get a kick out of living dangerously…Or maybe they assumed AdultFriendFinder would never suffer a data breach?You mean, they assumed AdultFriendFinder would never suffer a data breach again. You see, this isn’t the first time the website has been hit, although this is a much larger attack than the hack they suffered last year.In May 2015, it was revealed that the email addresses, usernames, postcodes, dates of birth and IP addresses of 3.9 million AdultFriendFinder members were being offered for sale online. The database was later made available for download.If… umm… a friend of mine was worried that they might have an AdultFriendFinder account, and that their password could have been exposed, what should they do?Change your password immediately. And make sure that you are not using the same password anywhere else on the net. Remember to always choose strong, hard-to-crack passwords… and never re-use them. If you are signing-up for sites that you’re embarrassed about, it may make sense to use a burner email account rather than one that can be directly associated back to you.If you’re worried that your data may be breached again, you may wish to delete your account. Of course, requesting an account deletion is no guarantee that your account’s details will actually be deleted. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc