AdultFriendFinder data breach – what you need to know

Yes, very much so. And we all know what a big story that was, how extortionists attempted to blackmail users, and how lives were damaged as a result.

Still, it sounds nasty – and there clearly remains the potential for blackmail. Are there email addresses associated with the exposed accounts in this latest breach?

I don’t want to be indelicate, so I’ll just tell you it’s strapline: “Hookup, Find Sex or Meet Someone Hot Now”

I’m afraid so. Of the 412 million accounts exposed on the breached sites, in 5,650 cases, email addresses have been used to register accounts. The same goes for 78,301 email addresses.

The news was made public by LeakedSource, who said that the hackers targeted Friend Finder Network Inc, the parent company of AdultFriendFinder, in and stole data that stretched back over Boulder hookup online free the last 20 years.

Fortunately, information about individuals’ sexual preferences do not appear to have been included in the exposed databases

The website of the famous men’s magazine, which was founded in the 1960s. Curiously, Penthouse was sold by Friend Finder Network Inc to a different company, Penthouse Global Media Inc., in , so some eyebrows may be raised as to how the hackers were able to steal information of Penthouse’s users from Friend Finder Network’s systems in .

Penthouse Global Media’s Kelly Holland told ZDNet that her company was “aware of the data hack and we are waiting on FriendFinder to give us a detailed account of the scope of the breach and their remedial actions in regard to our data.”

CSO Online reported last month that a vulnerability researcher known as “1?0123” or “Revolver” had uncovered Local File Inclusion (LFI) flaws on the AdultFriendFinder site that could have allowed access to internal databases.

In an email to ZDNet, AdultFriendFinder VP Diana Ballou confirmed that the company had recently been patching vulnerabilities that had been brought to its attention:

“Over the past several weeks, FriendFinder has received a number of reports regarding potential security vulnerabilities from a variety of sources. Immediately upon learning this information, we took several steps to review the situation and bring in the right external partners to support our investigation. While a number of these claims proved to be false extortion attempts, we did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability. FriendFinder takes the security of its customer information seriously and will provide further updates as our investigation continues.”

Yes. It appears that many of the passwords appear to have been stored in the database in plaintext. Also, most of the others were hashed weakly using SHA1 and have already been cracked.

Maybe they created the accounts long ago before data breaches became such a regular headline in the newspapers. Maybe they still haven’t learned the benefit of running a password manager that generates random passwords and stores them securely, meaning you don’t have to remember them. Maybe they just get a kick out of living dangerously…

You mean, they assumed AdultFriendFinder would never suffer a data breach again. You see, this isn’t the first time the website has been hit, although this is a much larger attack than the hack they suffered last year.

In , it was revealed that the email addresses, usernames, postcodes, dates of birth and IP addresses of 3.9 million AdultFriendFinder members were being offered for sale online. The database was later made available for download.

If… umm… a friend of mine was worried that they might have an AdultFriendFinder account, and that their password could have been exposed, what should they do?

Change your password immediately. And make sure that you are not using the same password anywhere else on the net. Remember to always choose strong, hard-to-crack passwords… and never re-use them. If you are signing-up for sites that you’re embarrassed about, it may make sense to use a burner email account rather than one that can be directly associated back to you.

If you’re worried that your data may be breached again, you may wish to delete your account. Of course, requesting an account deletion is no guarantee that your account’s details will actually be deleted.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc