Biggest hack of 2016: 412 million FriendFinder Networks accounts exposed

More than 412 million user accounts have been exposed thanks FriendFinder Networks being hacked. The breach included 20 years of historical customer data from six compromised databases: Adultfriendfinder.com, Cams.com, Penthouse.com, Stripshow.com. iCams.com, and an unknown domain. This, the 412,214,295 exposed records, is the biggest data breach in 2016, according to LeakedSource.

Back in October, Steve Ragan of CSO’s Salted Hash was the first to report vulnerabilities found on Adult Friend Finder. At the time, Friend Finder Networks vice president and senior counsel Diana Lynn Ballou told Ragan that the company was investigating reports of a security incident; if true, then affected customers would be notified.

Yet it wasn’t until Sunday, Nov. 13, that details about the massive breach became known. The notification did not come via the Friend Finder Networks (FFN), but from LeakedSource, which called the FriendFinder Networks breach the “largest hack of 2016.”

(The Yahoo hack, which exposed 500 million records, happened in 2014 even if the public did not learn the full extent of the breach until 2016.)

According to LeakedSource, the six FFN databases included usernames, email addresses and passwords stored either in plaintext or hashed using SHA1 with pepper. The 412,214,295 exposed records from the breach break down like this:

It is believed the hack occurred in October. LeakedSource decided not to make the data searchable at this time. If you had an account on any FFN site, you should likely consider it to be compromised. Notice that was in the past tense, since some companies tend to hang onto data forever and LeakedSource believes deleted accounts may be included in the breach.

There were a “significant number” of users with an email formatted as “email@address.com@deleted1.com.” LeakedSource said, “The addition of "@deleted.com" was done behind the scenes by Adult Friend Finder.” In fact, LeakedSource found 15,766,727 “deleted” accounts from AdultFriendFinder.com.

“If anyone registered an account prior to November of 2016 on any Friend Finder website, they should assume they are impacted and prepare for the worst,” LeakedSource told Salted Hash.

LeakedSource always includes some interesting tidbits in its analysis such as English being the main language spoken by FFN users and “there are 5,650 .gov registered emails on all websites combined and 78,301 .mil emails.” The top three email domains used when people registered accounts were Hotmail, Yahoo and Gmail.

LeakedSource has already cracked 99% of the passwords and even cracked passwords which were 32 characters in length. Here are the top 10 passwords used on FFN sites:

FFN told ZDNet that most reports of security vulnerabilities it received over the last several weeks were “false extortion attempts,” but that it fixed one vulnerability. That was followed by the usual blah blah blah a company proclaims after the public learns it was hacked. “FriendFinder takes the security of its customer information seriously.”

Oh, really? Well you can understand why that statement is confusing since the company did not notify its customers about the hack; also, storing records in plaintext or weakly secured with SHA1 seems to indicate the opposite of taking the security of customer information seriously.

Wait, hasn’t Adult Friend Finder already been hacked? Why yes indeed it has; 3.5 million accounts were compromised back in May of 2015. The hacker posted a $100,000 ransom demand and then put the database up for sale for 70 bitcoins. It makes no sense at all for any company to store passwords in plaintext, nevertheless a company which was hacked in the past.

And now, with this hack, LeakedSource claimed that the “sexual secrets for hundreds of millions” have been exposed.