AdultFriendFinder hack exposes 20 years of data on 400 million users

Personal information securely kept in plain text, apparently

Friend Finder Network Inc, the company that runs the AdultFriendFinder dating website, has been hacked for the second time in 18 months, with the attackers making off with some 20 years of users' data.

The data, which includes user names, emails and passwords, has been spilled on the LeakedSource website, but LeakedSource has decided against publishing the whole lot - for the time being.

"Friend Finder Network Inc is a company that operates a wide range of 18+ services and was hacked in October 2016 for over 400 million accounts representing 20 years of customer data, which makes it by far the largest breach we have ever seen," claimed LeakedSource.

"This event also marks the second time Friend Finder has been breached in two years, the first being around May 2015," it added.

The 400 million user number comes from the organisation's wider network that includes Penthouse.com, described as an "adult magazine akin to Playboy", and Cams.com, a site "where adults meet models for sex chat live through webcams".

AdultFriendFinder claims the bulk of the users, however, with some 340 million of them. LeakedSource has decided against publishing the dataset from the hack, which it usually does.

"After much internal deliberation by the LeakedSource team, and for various reasons, we have decided that this dataset will not be searchable by the general public on our main page for the time being," the organisation said.

However, LeakedSource has fewer scruples about upsetting the people responsible for security (or the lack of it) at FriendFinder. "While perusing the data we noticed that a significant amount of users had an email in the format of: [email protected]@deleted1.com. Uh oh.

"We've seen this situation many times before and it likely means these were users who tried to delete their account, but the data is obviously still kept around because we're looking at it.

"Counting the amount of emails with @deleted near the end, we have 15,766,727 'deleted' accounts in AdultFriendFinder.com."

Passwords were stored by Friend Finder Network in plain format or SHA1 hashed (peppered). Neither method is considered secure by any stretch of the imagination.

"Furthermore, the hashed passwords seem to have been changed to all lowercase before storage, which made them far easier to attack, but means the credentials will be slightly less useful for malicious hackers to abuse in the real world," suggested LeakedSource.