Adult FriendFinder, Penthouse, and Cams.com are just some of the recently leaked databases Databases recently obtained by LeakedSource, as well as source code, configuration files, certificate keys, and access control lists, point to a massive compromise at FriendFinder Networks Inc., the company behind AdultFriendFinder.com, Penthouse.com, Cams.com, and more than a dozen other websites.LeakedSource, a breach notification website that launched in late 2015, received the FriendFinder Networks Inc. databases within the last twenty-four hours.Administrators for LeakedSource say they’re still sorting and verifying the data, and at this stage they’ve only processed three databases. But what they’ve amassed so far from AdultFriendFinder.com, Cams.com, and Penthouse.com easily surpasses 100 million records. The expectation is that these figures are low estimates, and the count will continue to climb.LeakedSource was unable to determine when the Adult FriendFinder database was compromised, as they were still processing the data. A guess at the date range spans from September to the week of October 9. However, based on the size, this database contains more records than the 3.5 million that leaked last year. On Tuesday evening, a researcher who goes by the handle 1×0123 on Twitter – or Revolver in some circles – disclosed the existence of Local File Inclusion (LFI) vulnerabilities on the Adult FriendFinder website.There were rumors after the LFI flaw was disclosed that the impact was larger than the screen captures of the /etc/passwd file and database schema. Twelve hours later, 1×0123 said he had worked with Adult FriendFinder and resolved the problem adding that, “…no customer information ever left their site.” However, those claims don’t align with leaked source code and the existence of the databases obtained by LeakedSource.All three of the databases processed so far contain usernames, email addresses and passwords. The Cams.com and Penthouse.com databases also include IP details and various other internal fields related to the website, such as membership status. The passwords are a mix of SHA1, SHA1 with pepper, and plain text. It isn’t clear why the formatting has such variations.In addition to the databases, the private and public keys (ffinc-server.key) for a FriendFinder Networks Inc. server were published, along with source code (written in Perl) for credit card processing, user management in the billing database, scripts for internal IT functions and server / network management, and more.The leak also includes an httpd.conf file for one of FriendFinder Networks Inc.’s servers, as well as an access control list for internal routing, and VPN access. Each network item in this list is defined by the username assigned to a given IP or a server name for internal and external offices.The leaked data implies several things, said Dan Tentler, the founder of Phobos Group, and a noted security researcher.First, he explained, the attackers got read access to the server, which means that it would be possible to install shells, or enable persistent remote access. But even if the attacker’s access was unprivileged, they could still move around enough eventually gain access. “If we assume that dude only has access to this one server, and he got all this from one server, we can imagine what the rest of their infrastructure is like. Considering all of the above, it is very likely that an attacker at my level could turn this kind of access into a full compromise of their entire environment given enough time,” Tentler said.For example, he could add himself to the access control list and whitelist a given IP. He could abuse any SSH keys that were discovered, or command histories. Or, better still, if root access was gained, he could just replace the SSH binary with one that performs keylogging and wait for the credentials to roll in.Salted Hash reached out to FriendFinder Networks Inc. about these latest developments, but our phone call was cut short and we were directed to discuss the situation via email.The company spokesperson hasn’t responded to our questions or notification as far as the wider data breach is concerned. We’ll update this article if they issue any additional statements or reactions. Update (10-26-2016): During additional follow-up and checking for this story, Salted Hash found a FriendFinder press release from February of this year, detailing the sale of Penthouse.com to Penthouse Global Media Inc. (PGMI). Given the sale, it isn’t clear why FriendFinder would have Penthouse data still, but a company spokesperson still hasn’t responded to questions. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe