412 million FriendFinder accounts exposed by hackers

Hacked accounts linked to AdultFriendFinder.com, Cams.com, iCams.com, Stripshow.com, and Penthouse.com

adultfriendfinder screengrab
Credit: AdultFriendFinder

Six databases from FriendFinder Networks Inc., the company behind some of the world’s largest adult-oriented social websites, have been circulating online since they were compromised in October.

LeakedSource, a breach notification website, disclosed the incident fully on Sunday and said the six compromised databases exposed 412,214,295 accounts, with the bulk of them coming from AdultFriendFinder.com

It’s believed the incident happened prior to October 20, 2016, as timestamps on some records indicate a last login of October 17. This timeline is also somewhat confirmed by how the FriendFinder Networks episode played out.

On October 18, 2016, a researcher who goes by the handle 1x0123 on Twitter, warned Adult FriendFinder about Local File Inclusion (LFI) vulnerabilities on their website, and posted screenshots as proof.

When asked directly about the issue, 1x0123, who is also known in some circles by the name Revolver, said the LFI was discovered in a module on AdultFriendFinder’s production servers.

Not long after he disclosed the LFI, Revolver stated on Twitter the issue was resolved, and “...no customer information ever left their site.”

His account on Twitter has since been suspended, but at the time he made those comments, Diana Lynn Ballou, FriendFinder Networks' VP and Senior Counsel of Corporate Compliance & Litigation, directed Salted Hash to them in response to follow-up questions about the incident.

On October 20, 2016, Salted Hash was the first to report FriendFinder Networks had likely been compromised despite Revolver’s claims, exposing more than 100 million accounts.

In addition to the leaked databases, the existence of source code from FriendFinder Networks' production environment, as well as leaked public / private key-pairs, further added to the mounting evidence the organization had suffered a severe data breach.

FriendFinder Networks never offered any additional statements on the matter, even after the additional records and source code became public knowledge.

As mentioned, earlier estimates placed the FriendFinder Networks data breach at more than 100 million accounts.

These early estimates were based on the size of the databases being processed by LeakedSource, as well as offers being made by others online claiming to possess 20 million to 70 million FriendFinder records - most of them coming from AdultFriendFinder.com.

The point is, these records exist in multiple places online. They're being sold or shared with anyone who might have an interest in them.

On Sunday, LeakedSource reported the final count was 412 million users exposed, making the FriendFinder Networks leak the largest one yet in 2016, surpassing the 360 million records from MySpace in May.

This data breach also marks the second time FriendFinder users have had their account information compromised; the first time being in May of 2015, which impacted 3.5 million people.

The figures disclosed by LeakedSource on Sunday include:

  • 339,774,493 compromised records from AdultFriendFinder.com

  • 62,668,630 compromised records from Cams.com

  • 7,176,877 compromised records form Penthouse.com

  • 1,135,731 compromised records from iCams.com

  • 1,423,192 compromised records from Stripshow.com

  • 35,372 compromised records from an unknown domain

All of the databases contain usernames, email addresses and passwords, which were stored as plain text, or hashed using SHA1 with pepper. It isn’t clear why such variations exist.

“Neither method is considered secure by any stretch of the imagination and furthermore, the hashed passwords seem to have been changed to all lowercase before storage which made them far easier to attack but means the credentials will be slightly less useful for malicious hackers to abuse in the real world,” LeakedSource said, discussing the password storage options.

In all, 99-percent of the passwords in the FriendFinder Networks databases have been cracked. Thanks to easy scripting, the lowercase passwords aren’t going to hinder most attackers who are looking to take advantage of recycled credentials.

In addition, some of the records in the leaked databases have an “rm_” before the username, which could indicate a removal marker, but unless FriendFinder confirms this, there’s no way to be certain.

Another curiosity in the data centers on accounts with an email address of email@address.com@deleted1.com.

Again, this could mean the account was marked for deletion, but if so, why was the record fully intact? The same could be asked for the accounts with "rm_" as part of the username.

Moreover, it also isn’t clear why the company has records for Penthouse.com, a property FriendFinder Networks sold earlier this year to Penthouse Global Media Inc.

Salted Hash reached out to FriendFinder Networks and Penthouse Global Media Inc. on Saturday, for statements and to ask additional questions. By the time this article was written however, neither company had responded. (See update below.)

Salted Hash also reached out to some of the users with recent login records.

These users were part of a sample list of 12,000 records given to the media. None of them responded before this article went to print. At the same time, attempts to open accounts with the leaked email address failed, as the address was already in the system.

As things stand, it looks as if FriendFinder Networks Inc. has been thoroughly compromised. Hundreds of millions of users from all across the globe have had their accounts exposed, leaving them open to Phishing, or even worse, extortion.

This is especially bad for the 78,301 people who used a .mil email address, or the 5,650 people who used a .gov email address, to register their FriendFinder Networks account.

On the upside, LeakedSource only disclosed the full scope of the data breach. For now, access to the data is limited, and it will not be available for public searches.

For anyone wondering if their AdultFriendFinder.com or Cams.com account has been compromised, LeakedSource says it’s best to just assume it has.

“If anyone registered an account prior to November of 2016 on any Friend Finder website, they should assume they are impacted and prepare for the worst,” LeakedSource said in a statement to Salted Hash.

On their website, FriendFinder Networks says they have more than 700,000,000 total users, spread across 49,000 websites in their network - gaining 180,000 registrants daily.

Update:

FriendFinder has issued a somewhat public advisory about the data breach, but none of the impacted websites have been updated to reflect the notice. As such, users registering on AdultFriendFinder.com wouldn’t have a clue that the company has recently suffered a massive security incident, unless they’ve been following technology news.

According to the statement published on PRNewswire, FriendFinder Networks will start notifying affected users about the data breach. However, it isn’t clear if they will notify some or all 412 million accounts that have been compromised. The company still hasn’t responded to questions sent by Salted Hash.

“Based on the ongoing investigation, FFN has not been able to determine the exact volume of compromised information. However, because FFN values its relationship with customers and takes seriously the protection of customer data, FFN is in the process of notifying affected users to provide them with information and guidance on how they can protect themselves,” the statement said in part.

In addition, FriendFinder Networks has hired an outside firm to support its investigation, but this firm wasn’t named directly. For now, FriendFinder Networks is urging all users to reset their passwords.

In an interesting development, the press release was authored by Edelman, a firm known for Crisis PR. Prior to Monday, all press requests at FriendFinder Networks were managed by Diana Lynn Ballou, so this appears to be a recent change.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.