Biggest hack of 2016: 412 million FriendFinder Networks accounts exposed

412,214,295 user accounts were exposed from Adultfriendfinder.com, Cams.com, Penthouse.com, Stripshow.com. iCams.com and an unknown domain.

adultfriendfinder screengrab
Credit: AdultFriendFinder

More than 412 million user accounts have been exposed thanks FriendFinder Networks being hacked. The breach included 20 years of historical customer data from six compromised databases: Adultfriendfinder.com, Cams.com, Penthouse.com, Stripshow.com. iCams.com, and an unknown domain. This, the 412,214,295 exposed records, is the biggest data breach in 2016, according to LeakedSource.

Back in October, Steve Ragan of CSO’s Salted Hash was the first to report vulnerabilities found on Adult Friend Finder. At the time, Friend Finder Networks vice president and senior counsel Diana Lynn Ballou told Ragan that the company was investigating reports of a security incident; if true, then affected customers would be notified.

Yet it wasn’t until Sunday, Nov. 13, that details about the massive breach became known. The notification did not come via the Friend Finder Networks (FFN), but from LeakedSource, which called the FriendFinder Networks breach the “largest hack of 2016.”

(The Yahoo hack, which exposed 500 million records, happened in 2014 even if the public did not learn the full extent of the breach until 2016.)

According to LeakedSource, the six FFN databases included usernames, email addresses and passwords stored either in plaintext or hashed using SHA1 with pepper. The 412,214,295 exposed records from the breach break down like this:

 
Number of compromised records
Passwords in plaintext
Passwords hashed with SHA1

AdultFriendFinder.com    

339,774,493
103,070,536
232,137,460

Cams.com

62,668,630
21,422,277
41,209,412

Penthouse.com

7,176,877
495,720
6,678,239

Stripshow.com

1,135,731
272,409
863,317

ICams.com

1,423,192
342,889
1,080,303

Unknown domain

35,372
   

It is believed the hack occurred in October. LeakedSource decided not to make the data searchable at this time. If you had an account on any FFN site, you should likely consider it to be compromised. Notice that was in the past tense, since some companies tend to hang onto data forever and LeakedSource believes deleted accounts may be included in the breach.

There were a “significant number” of users with an email formatted as “email@address.com@deleted1.com.” LeakedSource said, “The addition of "@deleted.com" was done behind the scenes by Adult Friend Finder.” In fact, LeakedSource found 15,766,727 “deleted” accounts from AdultFriendFinder.com.

“If anyone registered an account prior to November of 2016 on any Friend Finder website, they should assume they are impacted and prepare for the worst,” LeakedSource told Salted Hash.

LeakedSource always includes some interesting tidbits in its analysis such as English being the main language spoken by FFN users and “there are 5,650 .gov registered emails on all websites combined and 78,301 .mil emails.” The top three email domains used when people registered accounts were Hotmail, Yahoo and Gmail.

LeakedSource has already cracked 99% of the passwords and even cracked passwords which were 32 characters in length. Here are the top 10 passwords used on FFN sites:

                              Password

                              Number of times used

                              123456

                              900,420

                              12345

                              635,995

                              123456789

                              585,150

                              12345678

                              145,867

                              1234567890

                              133,414

                              1234567

                              112,956

                              password

                              101,046

                              qwerty

                              86,050

                              qwertyuiop

                              43,755

                              987654321

                              40,627

FFN told ZDNet that most reports of security vulnerabilities it received over the last several weeks were “false extortion attempts,” but that it fixed one vulnerability. That was followed by the usual blah blah blah a company proclaims after the public learns it was hacked. “FriendFinder takes the security of its customer information seriously.”

Oh, really? Well you can understand why that statement is confusing since the company did not notify its customers about the hack; also, storing records in plaintext or weakly secured with SHA1 seems to indicate the opposite of taking the security of customer information seriously.

Wait, hasn’t Adult Friend Finder already been hacked? Why yes indeed it has; 3.5 million accounts were compromised back in May of 2015. The hacker posted a $100,000 ransom demand and then put the database up for sale for 70 bitcoins. It makes no sense at all for any company to store passwords in plaintext, nevertheless a company which was hacked in the past.

And now, with this hack, LeakedSource claimed that the “sexual secrets for hundreds of millions” have been exposed.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.