Alleged Adult Website Breach May Affect 412 Million AccountsFriendFinder Networks Might Have Been Hit Again
A group that collects stolen data claims to have obtained 412 million accounts belonging to FriendFinder Networks, the California-based company that runs thousands of adult-themed sites in what it described as a "thriving sex community."
See Also: Dynamic Detection for Dynamic Threats
LeakedSource.com, a service that obtains data leaks through shady underground circles, believes the data is legitimate. FriendFinder Networks, stung last year when its AdultFriendFinder website was breached, could not be immediately reached for reaction (see Dating Website Breach Spills Secrets).
Troy Hunt, an Australian data breach expert who runs the Have I Been Pwned data breach notification site, says that at first glance some of the data appears legitimate, but it's still early to make a call.
"It's a mixed bag," he says. "I'd need to see a complete data set to make an emphatic call on it."
If the data is accurate, it would mark one of the largest data breaches of the year behind Yahoo, which in October blamed state-sponsored hackers for compromising at least 500 million accounts in late 2014 (see Massive Yahoo Data Breach Shatters Records).
It also would be the second one to affect FriendFinder Networks in as many years. In May 2015 it was revealed that 3.9 million AdultFriendFinder accounts had been stolen by a hacker nicknamed ROR[RG] (see Dating Website Breach Spills Secrets).
The alleged leak is likely to cause panic among users who created accounts on FriendFinder Network properties, which primarily are adult-themed dating/fling websites, and those run by subsidiary Steamray Inc., which specializes in nude model webcam streaming.
It could also be particularly worrisome because LeakedSource says the accounts date back 20 years, a time in the early commercial web when users were less worried about privacy issues.
The latest FriendFinder Networks' breach would only be rivaled in sensitivity by the breach of Avid Life Media's Ashley Madison extramarital dating site, which exposed 36 million accounts, including customers names, hashed passwords and partial credit card numbers (see Ashley Madison Slammed by Regulators).
Local File Inclusion flaw
The first clue that FriendFinder Networks might have another problem came in mid-October.
CSOonline reported that someone had posted screenshots on Twitter showing a local file inclusion vulnerability in AdultFriendFinder. Those types of vulnerabilities allow an attacker to supply input to a web application, which in the worst scenario can allow code to run on the web server, according to a OWASP, The Open Web Application Security Project.
The person who found that flaw has gone by the nicknames 1x0123 and Revolver on Twitter, which has suspended the accounts. CSOonline reported that the person posted a redacted image of a server and a database schema generated on Sept. 7.
In a statement supplied to ZDNet, FriendFinder Networks confirmed that it had received reports of potential security problems and undertook a review. Some of the claims were actually extortion attempts.
But the company fixed a code injection flaw that could have enabled access to source code, FriendFinder Networks told the publication. It wasn't clear if the company was referring to the local file inclusion flaw.
The sites breached would appear to include AdultFriendFinder.com, iCams.com, Cams.com, Penthouse.com and Stripshow.com, the last of which redirects to the definitely not-safe-for-work playwithme[.]com, run by FriendFinder subsidiary Steamray. LeakedSource provided samples of data to journalists where those sites were mentioned.
But the leaked data could encompass many more sites, as FriendFinder Networks runs as many as 40,000 websites, a LeakedSource representative says over instant messaging.
One large sample of data provided by LeakedSource at first seemed to not contain current registered users of AdultFriendFinder. But the file "seems to contain much more data than one single site," the LeakedSource representative says.
"We didn't split any data ourselves, that's how it came to us," the LeakedSource representative writes. "Their [FriendFinder Networks'] infrastructure is two decades old and slightly confusing."
Many of the passwords were simply in plaintext, LeakedSource writes in a blog post. Others had been hashed, the process by which a plaintext password is processed by an algorithm to generate a cryptographic representation, which is safer to store.
Still, those passwords were hashed using SHA-1, which is considered unsafe. Today's computers can rapidly guess hashes that may match the real passwords. LeakedSource says it has cracked most of the SHA-1 hashes.
It appears that FriendFinder Networks changed some of the plaintext passwords to all lower-case letters before hashing, which meant that LeakedSource was able to crack them faster. It also has a slight benefit, as LeakedSource writes that "the credentials will be slightly less useful for malicious hackers to abuse in the real world."
For a subscription fee, LeakedSource allows its customers to search through data sets it has collected. It is not allowing searches on this data, however.
"We don't want to comment directly about it, but we weren't able to reach a final decision yet on the subject matter," the LeakedSource representative says.
In May, LeakedSource removed 117 million emails and passwords of LinkedIn users after receiving a cease-and-desist order from the company.