Adult dating company Friend Finder exposed two decades’ worth of data after a vulnerability exploit compromised its website, according to news reports.
The online hook-up site revealed 339 million accounts from AdultFriendFinder.com, including 15 million supposedly deleted accounts. Another 62 million belong to Cams.com, and 7 million come from Penthouse.com, as well as a few million from smaller properties owned by the company.
“We are aware of reports of a security incident, and we are currently investigating to determine the validity of the reports, the site’s VP Diana Lynn Ballou told CSO Online. “If we confirm that a security incident did occur, we will work to address any issues and notify any customers that may be affected.”
Reportedly, hackers took advantage of a file inclusion vulnerability disclosed in October by a researcher. The vulnerability permitted the disclosure of private information such as server passwords.
As a result, the attacker got access to SQL databases containing stored usernames, email addresses, and passwords saved in plaintext or secured with SHA-1, a very popular hashing function that is no longer considered the strongest, cryptographically speaking.
99 percent of all passwords from the databases are visible in plain text, according to breach notification site LeakedSource.
Passwords were stored by Friend Finder Network either in plain visible format or SHA1 hashed (peppered),” LeakedSource says. “Neither method is considered secure by any stretch of the imagination nor furthermore, the hashed passwords seem to have been changed to all lowercase before storage which made them far easier to attack, but means the credentials will be slightly less useful for malicious hackers to abuse in the real world.”
Also, nearly a million accounts used “123456” as password and more than 100,000 are secured with “password.” Interestingly, there are also 5,600 government email addresses registered on the website (.gov), and some 78,000 belonging to US military officials.
This incident marks the second breach of Friend Finder in two years, the first occurring in May 2015.