Sophos Cloud Optix
Sex and dating website Adult Friend Finder Network has reportedly suffered one of the largest – and potentially compromising – data breaches in internet history.
According to notification site Leaked Source, 412 million accounts were breached last month, compromising names, email addresses as well as weakly secured passwords.
The biggest tranche was 339 million users of AdultFriendFinder.com, “the world’s largest sex and swinger community”, with a further 62 million users of webcam site cams.com, 7.1 million users of Penthouse.com, and 1.4 million users of stripshow.com also lifted.
The breach appears to affect not only current users but potentially anyone who has ever signed up to it or its associated network brands in the last two decades.
Leaked Source’s analysis suggests that 15.7 million of the Adult Friend Finder database were deleted accounts that had not been properly purged.
The most disturbing revelation surrounds the weak state of the site’s passwords security, which the site said were either plain text (125 million accounts) or had been scrambled using the weak SHA-1 algorithm, which is considered trivially easy to crack (the rest).
Leaked Source said:
The hashed passwords seem to have been changed to all lower case before storage which made them far easier to attack but means the credentials will be slightly less useful for malicious hackers to abuse in the real world.
Hashing, which is one-way and can’t be reversed, is often confused with encryption (which is two-way and reversible by design), but suffice it to say its primary function is to verify that a password entered by a user during log-on is correct.
It’s a sort of fingerprint, but a vulnerable one. If the hashing format used is weak the attacker can just compare the hashed output against a “rainbow table”, giant directory of billions of hashes matched to real passwords.
A further problem with SHA-1 and this breach could be the type of “salting” or “peppering” used to defend against rainbow lookups.
Leaked Source seems to have had no difficulty breaking 99% of the hashed passwords, turning up a litany of terrible plain-text choices including the usual “123456”, “password” and “qwerty”. Bizarrely, 12,159 accounts used “Liverpool” as a password, making it the 59th most common.
How did it the hack happen?
There are few details at the moment, although it seems it might (or might not) be connected to a local file inclusion flaw publicised in October by a researcher called Revolver, who also reportedly posted screengrabs from Adult Friend Finder.
Worryingly, the breach is the second suffered by the site in two years after 3.5 million accounts were compromised in 2015. Unlike that incident, the new breach does not contain information on users’ sexual preferences, according to one website that saw some of the data.
Porn and sex site hacks tend to be ones that people remember.
In September, forum data for 800,000 Brazzers.com porn users came to light in an attack dated to 2012.
Biggest and worst of all was the attack on dating site Ashley Madison in 2015 which compromised 37 million accounts, most of which were later leaked.
Passwords are often a weak point, with people choosing easily guessed and easily cracked words.
Here we go again! 412 million is that all? Wonder how many politicians used there Gov email account. Should we start a betting pool?
According to dark reading Included in the leak were 96 million Hotmail accounts, 78,301 US military email accounts, and 5,650 US government accounts
Somebody needs to do a comprehensive security review of personals websites, considering how much sensitive data they contain by definition.
I would like to say that I completely and wholeheartedly disagree that this is the biggest and most compromising breach of data in internet history. The Office Personnel Management Hack contained far greater information concerning the privacy of millions of US Government and US Cleared Defense Contractor Employees. The information contained in the background investigations is far to precious than the identities of those who are on these dating websites. A breach that would be of equal magnitude would be the IRS or the data contained at the Census Bureau.
I’ll accept “biggest” on simple numeric grounds, though I wonder how many of those 412 million accounts really identify a person, but I agree about this not being the “most compromising” breach ever.
For example, I suspect that at least some of the people on this list won’t feel terribly badly compromised, assuming they weren’t trying to hide their membership from a partner but were openly seeking some sort of relationship. But I’ve never met anyone who was even nearly neutral about having their credit card data stolen, even if in the end all they needed was to get a new card issued.
Mind you, it’s peculiarly careless, and the word “compromising” genuinely applies. (I was going to add a smiley but it’s not really funny.)
Clearly, a small breach leaking highly sensitive data could have greater implications than tens of millions of email addresses. There are several examples of this in breach history.
But there is another way to look on size and that is the scale of the reported failure by the company looking after the data. Would 412 million records have been any better defended in this instance had it been highly sensitive?
I think the OP’s point was about how much of a compromise this really was, compared to the sort of detail revealed in some other breaches with fewer records but where the victims were much more seriously exposed to criminality, identity theft, blackmail and more.
Are half a billion emails really more serious than ten million bank account details, or one million salaries and employment histories, or one hundred thousand full medical records?
I would like for you to google the following SF86, and see what kind of information is gathered for a Top Secret Security Clearance for work within the United States Government as a Civilian, US Military Service Member, and a Contractor. The Information involved in a Single Scope Background Check is very invasive to the privacy of the candidate. My point was that the information contained in these breaches and the Ashley Madison breaches were not that damaging compared to the potential damage the OPM Hack / Breach had on the US Government as a whole. Sure these breaches maybe bad, and may have damaged relationships that could impact clearances; but overall the privacy involved in a SSBI affects the candidate, and the family and friends of said candidate. So a SSBI could have a depth of 3 to 6 people per candidate depending on the investigative body that is doing the investigation.
Might be a haxor that got jilted by his almost lover that turned out to be one of his friends trying to scam people on the site. So it a fit of rage he burned it to the ground. (made for TV, no, the other TV = TeleVision)
The title mentions 412 million accounts and the article lists the following numbers “339” “62” “7.1” and “1.4” but I can’t find the missing 2.5 million. Is that just small miscellaneous items or is it something else?
On another tack, it seems almost unbelievable that anyone would store passwords in plaintext nowadays, especially after being breached once already. Certainly seems irresponsible and I gotta wonder if anything (apart from the desire to curl up and die and/or retain whatever anonymity remains) is going to prevent a class action from the victims.
I wouldn’t be surprised to hear that the plaintext passwords are the oldest and that when the storage system was “improved”, the old passwords were neither updated nor retired.
If you decide to update your chosen salt-stretch-hash storage algorithm, you only get to update the old hashes when each user next logs in, so you absolutely must define a “reset password by” date for accounts where the user doesn’t login for a while, and stick to it.
There are many sites I’ve been to and after reading the ULA’s, declined to proceed. One I looked at had 95 pages written like an attorney and in all caps. Most tell you they keep your entries in ‘perpetuity’ and belong to them! No body seems to reads them anyway. I think as you people stated the biggest lie on the internet… 🙂
I have been in school for Digital Investigations and I will be graduating in February 2017, Those sites being mentioned in this article also have credit card information attached to most accounts. Also email accounts have personal information that can be used as well. Those hackers were not trying to get at just emails, but personal information which they can use for monetary gain. They can also obtain IP addresses of all those clients and attack those personal devices which contain even more information.