Over 412 million ‘adult’ accounts exposed – including 15 million deleted ones

It’s undoubtedly the biggest hack of the year: LeakedSource reports that a data breach at FriendFinder Networks – the popular purveyor of pornography and ‘casual dating’ services – has exposed 412,214,295 accounts, including:

  • 339,774,493 members of adultfriendfinder.com
  • 62,668,630 members of cams.com
  • 7,176,877 members of penthouse.com
  • 1,423,192 members of stripshow.com
  • 1,135,731 members of icams.com
  • 35,372 members of an unknown domain.

As if this weren’t bad enough, 15,766,727 members “had an email in the format of: email@address.com@deleted1.com”, indicating that ‘deleted’ accounts weren’t actually removed from company databases.

Moreover, thanks to poor password security practices (passwords were stored in plaintext or were hashed with the insecure SHA-1 algorithm, having been changed to lower-case before encryption), “99.0% of all available passwords are now visible in plaintext.”

The attack seems to have occurred last month, at around the time CSO Online reported that Adult FriendFinder had a local file intrusion (LFI) vulnerability.

FriendFinder Networks vice president and senior counsel Diana Ballou told ZDNet that it had fixed “a vulnerability that was related to the ability to access source code through an injection vulnerability.

”FriendFinder takes the security of its customer information seriously and will provide further updates as our investigation continues.”

This isn’t the first time FriendFinder has been hacked: in May 2015, 3.9 million members’ details were compromised.