Adult Friend Finder Hacked, 412 Million Accounts Exposed

  • Aug 05, 2020

Six databases that were owned by Friend Finder Networks, Inc. suffered a massive data breach in 2016, which cost 412 million users their accounts. Not only were the usernames and passwords stolen, but 15 million deleted accounts were also included in the mix.

Adult Friend Finder is an adult dating/entertainment website that calls itself the “world’s largest sex and swinger community.” Along with Adult Friend Finder, data accounts from Cams.com and Penthouse.com were also accessed in the data breach.

A security researcher named “Revolver” first discovered the breach. In Friend Finder hack, sensitive data regarding member’s sexual preferences, extramarital affairs, and purchases made on the site was lost. This latest breach, however, appears to have only compromised accounts. Friend Finder executives have been slammed in the media for poor security practices, and they have not publicly commented on the data breach.

Unique Dangers of the Adult Friend Finder Breach

The sheer volume of lost information set the Adult Friend Finder attack apart from other breaches that year. However, it was the explicit nature of the website’s content that made the event particularly dangerous.

While society’s attitude toward sexual freedom has evolved tremendously in the past decade, most people still prefer to keep their intimate activities private. People using adult dating or pornographic sites tend to leave their inhibitions behind and interact with content they wouldn’t publicly share.

Users may be ashamed or embarrassed by what they do or say on sites like Adult Friend Finder. This circumstance opens up many new ways for criminals to leverage leaked information. Along with potential identity theft, users are at risk of being blackmailed as well.

When Was the Adult Friend Finder Data Breach?

After investigating, cybersecurity officials believe the Adult Friend Finder data breach occurred before October 20, 2016. Friend Finder was warned by Revolver on October 18, 2016, about the potential vulnerability. Along with the accounts, evidence of source code from their websites and public/private key-pairs also showed up available online for purchase on the dark web.

How Adult Friend Finder Responded to the Attack

Adult Friend Finder did very little in response to the attack. It wasn't until a week after they announced the breach that the site began notifying its users. By then, an independent hacker had already released the news much more directly.

Little to no communication followed besides an initial press release recommending that users update their passwords. Users reported that the password requirements didn't change after the breach and weren't even case-sensitive

adult friend finder hacked

Adult Friend Finder 2015 Breach

It seems that some hard lessons need to be learned twice. Adult Friend Finder's 2016 breach wasn't an isolated incident. They experienced a prior attack under similar circumstances less than two years prior. This previous breach lost the credentials, card information, and site history of 3.5 million users.

Due to the sensitive material that the site worked with, leaked information also included sexual orientation, fetishes, and if the user was seeking an affair. The attack was carried out by a Thai hacker who released the data on the dark web.

The 2015 breach wasn't nearly as impactful as the one in 2016, but it should have served as a wake-up call to the company. The fact that similar cybersecurity weaknesses were targeted during both incidents indicates a severe lack of awareness. 

How Did the Breach Happen?

After the 2015 breach, Adult Friend Finder's weaknesses were laid bare. After the site failed to update to newer protocols, a larger-scale attack was inevitable.

A white-hat hacker released news of the 2016 breach with the screen name "Revolver." This individual located an LFI vulnerability (local file inclusion) activated in the photos shared in promotions. An LFI is typically found in poorly written code and involves a third-party adding new inputs into files before they're transferred to a server.

Afterward, investigations found that nearly all of the server's passwords were stored in plain text. Proper security systems use advanced encryptions that protect passwords and other information even if criminals manage to steal them.

Adult Friend Finder's defenses were so exploitable because they'd been largely untouched since 1996. Cyberthreats are evolving rapidly, and entire professions have formed around locating weak points in a server. Neglecting online security for so long can be construed as professional negligence, and the site even had a class action lawsuit filed against it.

Did the Breach Affect Adult Friend Finder?

Yahoo experienced a phishing-based data breach in 2013 that cost the retailer an estimated $350 million. Much of this damage was caused by people's loss of trust in Target and increased reluctance to shop at their stores.

Surprisingly, Adult Friend Finder didn't go through the same backlash. Its average monthly visits kept strong and currently sit at 50 million, which puts it in the top 15 most popular sites in the adult industry. Most of this traffic comes from English-speaking regions in the west.

As of 2021, the site had over 80 million users globally, with the cheapest subscription costing $20 per month. This level of success makes it comparable to industry heavy hitters like Hinge, OkCupid, and Tinder.

Analysts conjecture that this resilience to reputational damage comes from the type of content Adult Friend Finder engages with. Also, affected parties are less likely to complain about their lost data since that would mean openly admitting to using the site.

How the Breach Could Have Been Prevented

Adult Friend Finder's general apathy toward updating its security systems painted a giant target on its back. The 2015 breach can be viewed as a probing tactic, with the more significant and devastating attack following later.

Utilizing a more complex encryption system for passwords and other member data would have made the site a much less enticing target. However, their security measures must have failed at various steps to allow the password collection in the first place.

Standard cybersecurity practices employ a combination of hybrid cloud security, web application firewalls, and email security to stay secure. These systems automatically update or are manually reconfigured to handle new threats. Staying up to date is essential in ensuring your team is consistently warned of any problematic files or programs.

Regular inspections and testing play a large part in helping a site better understand its weaknesses. This involves hiring a white-hat hacker (or keeping an internal team) to attack the company's security using a variety of tactics. 

The size of Adult Friend Finder's breach was caused by keeping deleted account data on the servers. Despite only having about 80 million active accounts, the breach lost over 400 million users' information.

Old accounts are often unmonitored, so the business isn't warned that the user was breached. Microsoft, Yahoo, and Apple archive dormant accounts, making them far more difficult to access even with the correct login credentials. If Adult Friend Finder had implemented a similar archiving system, it would have heavily reduced the number of compromised accounts.

How to Check if You’re a Victim of the Adult Finder Hack

The friend finder leak data contained usernames, email addresses, and passwords. There is no online method for looking up whether or not your data is on adult friend finder hack list, but if you are a member of FriendFinder.com, your user account was affected.

Additionally, because Adult Friend Finder acts as an umbrella company, the breach also affected the many sites it manages. These include:

  • Cams.com
  • Penthouse.com
  • Stripshow.com
  • iCams.com

These sites collectively lost roughly 62 million counts of user data. They also stored passwords using a combination of easily broken plain text and SHA1 hashing.

friend finder hack

What to Do if Your Data Was Breached

The first thing you should do is change your password to something very secure. Use a complex combination of letters, numbers, and symbols. Some other precautions to take are: 

  • Be on the lookout for phishing emails. Your information could be used to intimidate you or extort money from you.
  • Cancel any credit cards used on the website.
  • If you used the same password on any other sites, change those as well.
  • Keep an eye on your credit and sign up for credit monitoring with a company like IDStrong.com.
  • Consider a credit freeze so no one can open up new accounts in your name.

Report the incident to Adult Friend Finder to let them know your information has been used for fraud or other illicit purposes.

Can Adult Friend Finder Hacked Information be Used for Identity Theft?

Due to the sensitive nature of the website content and purpose, the stolen accounts are more at risk than most others. In the theft, there were 78,301 who registered for the website using a military email address and another 5,650 that used a .gov (government worker) address. These members are at extreme risk of being extorted or having their identity stolen. For the millions of regular users, they too are in danger of phishing scams, viruses, malware attacks, and identity theft. The information ended up on the dark web and you should be aware that you may become a target because of this data breach. Be extra careful and learn what steps to take to protect yourself.

How to Prevent Data Breach

When signing up for an account with any type of website, you take a risk entering private information, even just your email address. To keep your life and your information private follow the steps below:

  • Keep your computer and other devices updated with the latest operating system, security patches, and antivirus software. Run deep scans often.
  • Use only one credit card online for purchases and check the monthly statement carefully.
  • Never give out personal information online if you don’t have to.
  • Monitor your credit reports and bank statements; look for fraudulent charges.
  • Change your passwords often and make them very complicated.
  • Watch for phishing or scam emails.
  • Never click a link in an email or open any attachments.

You cannot be too careful online. Always use common sense before entering information into a web page, and look for security certificates before making any payments. Stay on top of data breaches and respond quickly if you are affected

 

 

Related Articles

What is Data Leak and How to Prevent Accidental Data Leakage

Data breaches take many forms, and one of them is through data leak and accidental web exposure. M ... Read More

The Saga of T-Mobile Data Breach: 2013, 2015, 2021 and 2023 Hacks

T-Mobile has experienced a number of data breaches in the past decade. The first case occurred som ... Read More

Anthem Data Breach Exposed 78 Million Records

In the Anthem Data Breach of 2015, hackers were able to steal 78.8 million member’s records. ... Read More

Everything You Need to Know About Insider Data Breach

Data breaches are on the news frequently, but the average person doesn’t really know that mu ... Read More

The NSA Hack, How Did it Happen?

The National Security Agency (NSA) was the main attraction in a major data breach involving three ... Read More

Latest Articles

Weekly Cybersecurity Recap February 16

Weekly Cybersecurity Recap February 16

This week was particularly active in Cybersecurity—attacks rained upon all states, from the Great Basin of Nevada to the Volcanoes of Hawaii.

462k Hawaiians and Patients Exposed by Health Network Cyberattack

462k Hawaiians and Patients Exposed by Health Network Cyberattack

Navvis & Company is a comprehensive healthcare network throughout the US, including Hawaii. They offer scalable healthcare services that push patients towards their health and wellness goals while supporting providers' roles to achieve those milestones.

National Vascular Care Provider Confirms Cyber Attack; 348k Exposures

National Vascular Care Provider Confirms Cyber Attack; 348k Exposures

Azura Vascular Care operates a national network of health and wellness centers. They specialize in minimally invasive procedures and strive to treat vascular conditions in comfortable, out-patient settings.

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Free Identity Exposure Scan
Instantly and Securely Check if Your Personal Information is Exposed on the Dark Web or Sold by Data Brokers
Please enter first name
Please enter last name
Please select a state
Close
Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address
Close