While it's not the first time AdultFriendFinder has been hacked, woo boy, this a big one. The "world's largest sex & swinger community" experienced a breach in October that exposed the information from 412 million accounts across its corporate holdings.
LeakedSource, a breach notification site, first broke the story today. The report claims that accounts, email addresses and passwords were collected into a database that has been made available to online criminal marketplaces. AdultFriendFinder itself makes for 300 million of the breached accounts. The rest of the 412,214,295 leaked individual's information comes from past and present corporate holdings that include Penthouse, Stripshow, and iCams. If you are a past user who believes that you deleted your account and it's all good, I'm sorry to say that 15 million "deleted" accounts are also in the database.
Other information contained in the breach includes whether or not the user was a VIP member, browser information, the last IP address used to log in, and confirmation on a users purchases.
ZDNet obtained a portion of the database to scan for verification. They found that unlike the 2015 breach, which exposed 3.5 million users data, this one contained no information on sexual preferences. From the report:
The three largest site's SQL databases included usernames, email addresses, and the date of the last visit, and passwords, which were either stored in plaintext or scrambled with the SHA-1 hash function, which by modern standards isn't cryptographically as secure as newer algorithms.
ZDNet was also able to verify the authenticity of the database by contacting some of the users. Other methods were used for verification and you can see them outlined here.
One user that ZDNet contacted confirmed that he had used the site "once or twice, but said that the information they used was 'fake' because the site requires users to sign up." This would probably apply to many others as well. It is still worth being cautious, keeping an eye on all accounts and changing passwords.
Speaking of passwords, LeakedSource has a breakdown of some of the top ones that were used to log in. Are people ever going to stop using 123456? For fuck's sake, it's all variations on that, "qwerty" and "password" until you hit number 13, which is "pussy."
For its part, AdultFriendFinder told ZDNet the following via email:
"Over the past several weeks, FriendFinder has received a number of reports regarding potential security vulnerabilities from a variety of sources. Immediately upon learning this information, we took several steps to review the situation and bring in the right external partners to support our investigation," said Diana Ballou, vice president and senior counsel, in an email on Friday. "While a number of these claims proved to be false extortion attempts, we did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability," she said. "FriendFinder takes the security of its customer information seriously and will provide further updates as our investigation continues," she added.
While the numbers are huge, the lack of personal data gives hope that we will not see the kind of extortion that followed the Ashley Madison hack from 2015.
Safe surfing everyone.