Maksim Kabakou - Fotolia

412 million user accounts exposed in FriendFinder Networks hack

Another huge data breach has exposed poor security of user details and continued poor user password practices

The user details of more than 412 million accounts have been exposed in a data breach at FriendFinder Networks, confirming poor password practices, according to breach notification site LeakedSource.

Nearly 340 million compromised accounts belong to the company’s AdultFriendFinder swinger community site, while the rest belong to live sex chat site Cams.com (63,000), iCams.com (1.1 million), and others.

The compromised data reportedly includes usernames, account passwords, email addresses and the date of a user’s last visit, but does not include sexual preference data according to ZDNet, as was the case in May 2015 when more than 3.5 million AdultFriendFinder accounts were exposed in a breach.

Leaked Source claims a total of 412,214,295 accounts are affected by a breach that took place in October, and while this is less than the 500 million accounts affected in the 2014 breach at Yahoo, it is the largest breach of 2016 so far.

Anyone who has an account with any of these sites is advised to change their password immediately on the affected site, as well as any other sites on which they have used the same password.

According to LeakedSource, FriendFinder Networks was compromised through the exploitation of a local file inclusion vulnerability that allows an attacker to control which files are executed.

LeakedSource warned that at least 15 million of the AdultFriendFinder accounts accessed by the hackers had been deleted by the account users, but the data was still available in the hacked database.

A similar failure to delete user details was uncovered in the breach of adult site Ashley Madison in 2015, where users had actually paid to have their details deleted yet they were still accessible to the hackers.

Passwords easy to crack

Although most passwords were hashed with SHA-1, this can be easily cracked. According to LeakedSource, 103,070,536 AdultFriendFinder passwords were stored in plain text, while 232,137,460 were hashed with SHA-1, but the site estimated that 99.3% of all passwords from this website had been cracked.

The hacked data once again shows that most people use simple, easy-to-guess passwords, with the six most common passwords being 123456, followed by 12345, 123456789, 12345678 and 1234567890. The next most common passwords used for these adult sites were: password, qwerty and qwertyuiop.

The emails registered on the sites include 5,650 from .gov domains and 78,301 from .mil domains, but the most common domain is Hotmail.com, followed by Yahoo.com and Gmail.com.

Read more about data breaches

  • The Australian Red Cross Blood Service has admitted that the personal details of 550,000 donors were placed on a publicly accessible web server by mistake.
  • The security breach at Yahoo affecting 500 million user accounts underlines the importance of security practitioners joining forces to raise awareness around cyber security.
  • Drawing on insights from more than 400 senior business executives, research from Experian reveals many businesses are ill-prepared for data breaches.
  • The rise in high-profile security breaches has led to an increasingly worried UK public, calling for 24-hour monitoring of sensitive information.

The most common languages are English (248,986,884), Spanish (63,602,761), Portuguese (29,827,490), French (23,313,262) and Chinese (10,384,967).

FriendFinder Networks has neither confirmed nor denied the breach, but in a statement said it had received a number of reports regarding potential security vulnerabilities from a variety of sources.

“Immediately upon learning this information, we took several steps to review the situation and bring in the right external partners to support our investigation,” said Diana Ballou, FriendFinder senior counsel, in a statement.

“While a number of these claims [about security vulnerabilities] proved to be false extortion attempts, we did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability,” she said.

The only way to shore up defences is by getting the basics right, from implementing the correct procedures, to managing critical assets through a proactive and integrated approach, according to Peter Martin, managing director at security management firm RelianceACSN.

“It doesn’t matter what industry you are in. Company directors and managers are legally accountable for people’s personal data,” he said.

Businesses need to professionalise their operations data security, said Martin. “To do this they need trained experts and engineers, not well-meaning but overworked internal staff doing their best. That approach is no longer good enough. Until organisations have got the basics right, we’ll continue to see breaches like this happening on a daily basis,” he warned.

Read more on Privacy and data protection