Friend Finder Networks, the company that operates sites like Adultfriendfinder.com (“World’s largest sex & swinger community”), and Cams.com (“Where adults meet models for sex chat live through webcams”) has been breached – again!
In May 2015, the number of affected users was around 3.5 million, and the leaked information contained information like marital status and sexual preferences.
This time the leak includes “just” the username, email address, date of the last visit, password, last IP address used, browser information, and VIP membership status, but the number of affected users is astronomical: over 339 million (including over 15 million users who apparently deleted their account, but the company held on to their data).
According to LeakedSource, other leaked data also includes:
- Over 62 million Cams.com users
- Over 1.3 million iCams.com users
- Over 71 million Penthouse.com users (even though the site was sold to Penthouse Global Media in February)
- Over 1.4 million Stripshow.com users
In total, information of over 412 million users has been compromised.
“Passwords were stored by Friend Finder Network either in plain visible format or SHA1 hashed (peppered). Neither method is considered secure by any stretch of the imagination and furthermore, the hashed passwords seem to have been changed to all lowercase before storage which made them far easier to attack but means the credentials will be slightly less useful for malicious hackers to abuse in the real world,” the LeakedSource team noted.
They already cracked 99 percent of all the hashed passwords, meaning that they can be just as easily cracked by malicious individuals.
The team has decided not to make this particular data set searchable by the general public for now.
Also, they posit that the breach was effected through the use of an exploit for a Local File Inclusion vulnerability, the existence of which was publicly revealed last month.
The leaked information (well, a portion of it) has been independently verified by ZDNet, but Friend Finder Networks has yet to confirm the breach. They only said that they have fixed the aforementioned vulnerability.