Adult dating and entertainment company FriendFinder Networks has reportedly been hacked in a massive data breach exposing more than 412 million accounts and user credentials collected over two decades. According to Leaked Source, the breach is believed to have occurred in October with email addresses and passwords from six adult-oriented FriendFinder Networks websites dumped online.
More than 330 million accounts on AdultFriendFinder - a site that dubs itself the "World's largest sex and swinger community" - were exposed in the breach. The hack also exposed more than 62 million user accounts on video site Cams.com and more than seven million on Penthouse.com in addition to a few million from other smaller websites owned by the company.
According to LeakedSource, the FriendsFinder Network apparently stored its users' passwords in plain visible format or hashed them using the weak SHA1 algorithm.
"Neither method is considered secure by any stretch of the imagination and furthermore, the hashed passwords seem to have been changed to all lowercase before store which made them far easier to attack but means the credentials will be slightly less useful for malicious hackers to abuse in the real world," LeakedSource said.
The company stored logins for Penthouse.com despite the fact that FriendFinder sold the site to Penthouse Global Media in February. FriendFinder also stored email and passwords of more than 15 million AdultFriendFinder users who believed they had deleted their accounts.
The LeakedSource team added that they will not make the data set searchable by the general public for now.
Hackers reportedly broke into FriendFinder's network by exploiting a Local File Inclusion vulnerability on the site. Although FriendFinder Networks did confirm the site's security vulnerability to ZDNet, it did not explicitly confirm the intrusion.
"Over the past several weeks, FriendFinder has received a number of reports regarding potential security vulnerabilities from a variety of sources," FriendFinder Networks vice president and senior counsel Diana Ballou told ZDNet in an email. "Immediately upon learning this information, we took several steps to review the situation and bring in the right external partners to support our investigation.
"While a number of these claims proved to be false extortion attempts, we did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability. FriendFinder takes the security of its customer information seriously and will provide further updates as our investigation continues."
In May 2015, more than 3.5 million users were compromised after dating site AdultFriendFinder was hacked, exposing usernames, IP addresses, birth dates and sexual orientation.
ZDNet, which obtained a portion of the database to analyse, reports that the leaked information "does not appear to contain sexual preference data, unlike the 2015 breach". However, the leaked databases did include usernames, email addresses, passwords and the date of the last visit. It also included specific website membership data besides browser information, if the user was a VIP member, the last IP address used to log in and if the member paid for items.
LeakedSource reports that the passwords leaked in the latest data dump were extremely weak with the top three passwords used including, "123456," "12345" and "123456789."