Adultfriendfinder, “the world’s largest sex & swinger community,” has suffered a major breach, leaking 300,000,000 accounts’ worth of personal information, namely email addresses, passwords, usernames, IP addresses and browser information.
This breach is nearly ten times larger than the 2015 Ashley Madison breach, though the latter contained much more detailed information.
Adultfriendfinder’s user passwords were hashed with the weak SHA-1 algorithm, considered insecure.
Data from several of of Adultfriendfinder’s other sites was also leaked, including data from cams.com, Stripshow and Icams. Additionally, 15 million Penthouse users’ data was breached, because Adultfriendfinder saved Penthouse data after its sold off the site. Moreover, 15 million deleted accounts were included in the breach, because the company had retained those users’ data.
This is a familiar situation: companies that inadequately secure their networks also use inadequate measures to protect passwords and also hoard loads of data they have no business hanging onto. It’s a kind of infosec Dunning-Kruger, where companies’ incompetence also predicts their confidence that they have the right to keep other peoples’ data and that this will not cause problems for anyone.
Unsurprisingly, Adultfriendfinder also does not support HTTPS connections.
According to LeakedSource, Friend Finder Network had stored their user passwords in plane visible format, or with with Secure Hash algorithm 1 (SHA-1), which is not considered secure. According to ZDNet, which obtained a portion of the database and confirmed its legitimacy, the leaked information “does not appear to contain sexual preference data, unlike the 2015 breach.” However, the site was able to see account usernames, e-mails, passwords, the last login, IP addresses, browser information and other information.
Over 300 million AdultFriendFinder accounts have been exposed in a massive breach [Andrew Liptak/The Verge]