Sex and dating website Adult Friend Finder Network has reportedly suffered one of the largest – and potentially compromising – data breaches in internet history.
According to notification site Leaked Source, 412 million accounts were breached last month, compromising names, email addresses as well as weakly secured passwords.
The biggest tranche was 339 million users of AdultFriendFinder.com, “the world’s largest sex and swinger community”, with a further 62 million users of webcam site cams.com, 7.1 million users of Penthouse.com, and 1.4 million users of stripshow.com also lifted.
The breach appears to affect not only current users but potentially anyone who has ever signed up to it or its associated network brands in the last two decades.
Leaked Source’s analysis suggests that 15.7 million of the Adult Friend Finder database were deleted accounts that had not been properly purged.
The most disturbing revelation surrounds the weak state of the site’s passwords security, which the site said were either plain text (125 million accounts) or had been scrambled using the weak SHA-1 algorithm, which is considered trivially easy to crack (the rest).
Leaked Source said:
The hashed passwords seem to have been changed to all lower case before storage which made them far easier to attack but means the credentials will be slightly less useful for malicious hackers to abuse in the real world.
Hashing, which is one-way and can’t be reversed, is often confused with encryption (which is two-way and reversible by design), but suffice it to say its primary function is to verify that a password entered by a user during log-on is correct.
It’s a sort of fingerprint, but a vulnerable one. If the hashing format used is weak the attacker can just compare the hashed output against a “rainbow table”, giant directory of billions of hashes matched to real passwords.
A further problem with SHA-1 and this breach could be the type of “salting” or “peppering” used to defend against rainbow lookups.
Leaked Source seems to have had no difficulty breaking 99% of the hashed passwords, turning up a litany of terrible plain-text choices including the usual “123456”, “password” and “qwerty”. Bizarrely, 12,159 accounts used “Liverpool” as a password, making it the 59th most common.
How did it the hack happen?
There are few details at the moment, although it seems it might (or might not) be connected to a local file inclusion flaw publicised in October by a researcher called Revolver, who also reportedly posted screengrabs from Adult Friend Finder.
Worryingly, the breach is the second suffered by the site in two years after 3.5 million accounts were compromised in 2015. Unlike that incident, the new breach does not contain information on users’ sexual preferences, according to one website that saw some of the data.
Porn and sex site hacks tend to be ones that people remember.
In September, forum data for 800,000 Brazzers.com porn users came to light in an attack dated to 2012.
Biggest and worst of all was the attack on dating site Ashley Madison in 2015 which compromised 37 million accounts, most of which were later leaked.