Penthouse, Adult FriendFinder databases leak, at least 100 million accounts impacted

Databases recently obtained by LeakedSource, as well as source code, configuration files, certificate keys, and access control lists, point to a massive compromise at FriendFinder Networks Inc., the company behind AdultFriendFinder.com, Penthouse.com, Cams.com, and more than a dozen other websites.

LeakedSource, a breach notification website that launched in late 2015, received the FriendFinder Networks Inc. databases within the last twenty-four hours.

Administrators for LeakedSource say they’re still sorting and verifying the data, and at this stage they’ve only processed three databases. But what they’ve amassed so far from AdultFriendFinder.com, Cams.com, and Penthouse.com easily surpasses 100 million records. The expectation is that these figures are low estimates, and the count will continue to climb.

LeakedSource was unable to determine when the Adult FriendFinder database was compromised, as they were still processing the data. A guess at the date range spans from September to the week of October 9. However, based on the size, this database contains more records than the 3.5 million that leaked last year.

On Tuesday evening, a researcher who goes by the handle 1×0123 on Twitter – or Revolver in some circles – disclosed the existence of Local File Inclusion (LFI) vulnerabilities on the Adult FriendFinder website.

There were rumors after the LFI flaw was disclosed that the impact was larger than the screen captures of the /etc/passwd file and database schema.

Twelve hours later, 1×0123 said he had worked with Adult FriendFinder and resolved the problem adding that, “…no customer information ever left their site.” However, those claims don’t align with leaked source code and the existence of the databases obtained by LeakedSource.

All three of the databases processed so far contain usernames, email addresses and passwords. The Cams.com and Penthouse.com databases also include IP details and various other internal fields related to the website, such as membership status. The passwords are a mix of SHA1, SHA1 with pepper, and plain text. It isn’t clear why the formatting has such variations.

In addition to the databases, the private and public keys (ffinc-server.key) for a FriendFinder Networks Inc. server were published, along with source code (written in Perl) for credit card processing, user management in the billing database, scripts for internal IT functions and server / network management, and more.

The leak also includes an httpd.conf file for one of FriendFinder Networks Inc.’s servers, as well as an access control list for internal routing, and VPN access. Each network item in this list is defined by the username assigned to a given IP or a server name for internal and external offices.

The leaked data implies several things, said Dan Tentler, the founder of Phobos Group, and a noted security researcher.

First, he explained, the attackers got read access to the server, which means that it would be possible to install shells, or enable persistent remote access. But even if the attacker’s access was unprivileged, they could still move around enough eventually gain access.

“If we assume that dude only has access to this one server, and he got all this from one server, we can imagine what the rest of their infrastructure is like. Considering all of the above, it is very likely that an attacker at my level could turn this kind of access into a full compromise of their entire environment given enough time,” Tentler said.

For example, he could add himself to the access control list and whitelist a given IP. He could abuse any SSH keys that were discovered, or command histories. Or, better still, if root access was gained, he could just replace the SSH binary with one that performs keylogging and wait for the credentials to roll in.

Salted Hash reached out to FriendFinder Networks Inc. about these latest developments, but our phone call was cut short and we were directed to discuss the situation via email.

The company spokesperson hasn’t responded to our questions or notification as far as the wider data breach is concerned. We’ll update this article if they issue any additional statements or reactions.

Update (10-26-2016): During additional follow-up and checking for this story, Salted Hash found a FriendFinder press release from February of this year, detailing the sale of Penthouse.com to Penthouse Global Media Inc. (PGMI). Given the sale, it isn’t clear why FriendFinder would have Penthouse data still, but a company spokesperson still hasn’t responded to questions.