Hacked accounts linked to AdultFriendFinder.com, Cams.com, iCams.com, Stripshow.com, and Penthouse.com.
Six databases from FriendFinder Networks Inc., the company behind some of the world’s largest adult-oriented social websites, have been circulating online since they were compromised in October.
LeakedSource, a breach notification website, disclosed the incident fully on Sunday and said the six compromised databases exposed 412,214,295 accounts, with the bulk of them coming from AdultFriendFinder.com.
It’s believed the incident happened prior to October 20, 2016, as timestamps on some records indicate a last login of October 17. This timeline is also somewhat confirmed by how the FriendFinder Networks episode played out.
On October 18, 2016, a researcher who goes by the handle 1×0123 on Twitter, warned Adult FriendFinder about Local File Inclusion (LFI) vulnerabilities on their website, and posted screenshots as proof.
When asked directly about the issue, 1×0123, who is also known in some circles by the name Revolver, said the LFI was discovered in a module on AdultFriendFinder’s production servers.
Not long after he disclosed the LFI, Revolver stated on Twitter the issue was resolved, and “…no customer information ever left their site.”
His account on Twitter has since been suspended, but at the time he made those comments, Diana Lynn Ballou, FriendFinder Networks’ VP and Senior Counsel of Corporate Compliance & Litigation, directed Salted Hash to them in response to follow-up questions about the incident.
On October 20, 2016, Salted Hash was the first to report FriendFinder Networks had likely been compromised despite Revolver’s claims, exposing more than 100 million accounts.
In addition to the leaked databases, the existence of source code from FriendFinder Networks’ production environment, as well as leaked public / private key-pairs, further added to the mounting evidence the organization had suffered a severe data breach.
FriendFinder Networks never offered any additional statements on the matter, even after the additional records and source code became public knowledge.
As mentioned, earlier estimates placed the FriendFinder Networks data breach at more than 100 million accounts.
These early estimates were based on the size of the databases being processed by LeakedSource, as well as offers being made by others online claiming to possess 20 million to 70 million FriendFinder records – most of them coming from AdultFriendFinder.com.
The point is, these records exist in multiple places online. They’re being sold or shared with anyone who might have an interest in them.
On Sunday, LeakedSource reported the final count was 412 million users exposed, making the FriendFinder Networks leak the largest one yet in 2016, surpassing the 360 million records from MySpace in May.
This data breach also marks the second time FriendFinder users have had their account information compromised; the first time being in May of 2015, which impacted 3.5 million people.
The figures disclosed by LeakedSource on Sunday include:
- 339,774,493 compromised records from AdultFriendFinder.com
- 62,668,630 compromised records from Cams.com
- 7,176,877 compromised records form Penthouse.com
- 1,135,731 compromised records from iCams.com
- 1,423,192 compromised records from Stripshow.com
- 35,372 compromised records from an unknown domain
All of the databases contain usernames, email addresses and passwords, which were stored as plain text, or hashed using SHA1 with pepper. It isn’t clear why such variations exist.
“Neither method is considered secure by any stretch of the imagination and furthermore, the hashed passwords seem to have been changed to all lowercase before storage which made them far easier to attack but means the credentials will be slightly less useful for malicious hackers to abuse in the real world,” LeakedSource said, discussing the password storage options.
In all, 99-percent of the passwords in the FriendFinder Networks databases have been cracked. Thanks to easy scripting, the lowercase passwords aren’t going to hinder most attackers who are looking to take advantage of recycled credentials.
In addition, some of the records in the leaked databases have an “rm_” before the username, which could indicate a removal marker, but unless FriendFinder confirms this, there’s no way to be certain.
Another curiosity in the data centers on accounts with an email address of firstname.lastname@example.org@deleted1.com.
Again, this could mean the account was marked for deletion, but if so, why was the record fully intact? The same could be asked for the accounts with “rm_” as part of the username.
Moreover, it also isn’t clear why the company has records for Penthouse.com, a property FriendFinder Networks sold earlier this year to Penthouse Global Media Inc.
Salted Hash reached out to FriendFinder Networks and Penthouse Global Media Inc. on Saturday, for statements and to ask additional questions. By the time this article was written however, neither company had responded.
Salted Hash also reached out to some of the users with recent login records.
These users were part of a sample list of 12,000 records given to the media. None of them responded before this article went to print. At the same time, attempts to open accounts with the leaked email address failed, as the address was already in the system.
As things stand, it looks as if FriendFinder Networks Inc. has been thoroughly compromised. Hundreds of millions of users from all across the globe have had their accounts exposed, leaving them open to Phishing, or even worse, extortion.
This is especially bad for the 78,301 people who used a .mil email address, or the 5,650 people who used a .gov email address, to register their FriendFinder Networks account.
On the upside, LeakedSource only disclosed the full scope of the data breach. For now, access to the data is limited, and it will not be available for public searches.
For anyone wondering if their AdultFriendFinder.com or Cams.com account has been compromised, LeakedSource says it’s best to just assume it has.
“If anyone registered an account prior to November of 2016 on any Friend Finder website, they should assume they are impacted and prepare for the worst,” LeakedSource said in a statement to Salted Hash.
On their website, FriendFinder Networks says they have more than 700,000,000 total users, spread across 49,000 websites in their network – gaining 180,000 registrants daily.