Two pseudonymous hackers called Revolver and Peace have claimed to have hacked the online hookup site Adult FriendFinder. While Revolver posted two screenshots of the site's database, Peace claimed to have gained access to a database of around 73 million users.
Revolver's leaked data also allegedly contains login credentials which provide those in possession of the data with the ability to access major functions of the site's infrastructure. The data also reportedly contains users' personal information. The hacker claimed to have exploited a vulnerability in the site in September, adding that he is currently working on gaining access to other databases.
Meanwhile, Peace claimed to have hacked Adult FriendFinder last week. He told Motherboard that he had provided other hackers with "everything, all (FriendFinder Network)", referring to the site's parent company.
A spokesperson for the FriendFinder Network said on 19 October that the company was "aware of reports of a security incident" and is "currently investigating to determine the validity of the reports", the Daily Dot reported.
"If we confirm that a security incident did occur, we will work to address any issues and notify any customers that may be affected," the spokesperson's statement read.
Despite Peace's claims of having shared the site's data with other hackers, Revolver claims to have been working alone. "I have nothing to do with Peace and never spoke to him, and even I don't know him," Revolver said. "At this moment, my vulnerability was found by my self-coded tool and has nothing to do with someone else."
According to security researcher Dan Tentler, who examined a set of the site's leaked files online as well as a sample provided by Peace to Motherboard, the hackers' claims of a new breach appear to be legitimate.
"Theoretically? Complete end-to-end compromise," Tentler said, adding that one of the hacked and stolen files contained employee names, home IP addresses, and even Virtual Private Network (VPN) keys to access Adult FriendFinder's servers remotely.
Security experts who looked into Revolver's leaked files on Twitter said the hacker appeared to have leveraged a Local File Inclusion – a common vulnerability found in weakly coded web applications. The vulnerability allows hackers to attack a website and access files from any given system. Both Peace and Revolver confirmed that they had exploited the same flaw.
Adult FriendFinder was hacked in 2015 by an alleged hacker going by the name ROR[RG]. The hacker is believed to have breached and leaked critically sensitive and personal information of over four million users. ROR[RG], who is beleived to have attempted to blackmail Adult FriendFinder for around $100,000 (£63,850), published stolen data from the site on the underground hacking forum Hell.
It is still uncertain if the two hackers who claimed the new breach have put the alleged stolen data for sale on the dark web.