Adult Friend Finder Hacked, 412 Million Accounts Exposed
Table of Contents
- Unique Dangers of the Adult Friend Finder Breach
- When Was the Adult Friend Finder Data Breach?
- How Adult Friend Finder Responded to the Attack
- Adult Friend Finder 2015 Breach
- How Did the Breach Happen?
- Did the Breach Affect Adult Friend Finder?
- How the Breach Could Have Been Prevented
- How to Check if You’re a Victim of the Adult Finder Hack
- What to Do if Your Data Was Breached
- Can Adult Friend Finder Hacked Information be Used for Identity Theft?
- How to Prevent Data Breach
- Aug 05, 2020
Six databases that were owned by Friend Finder Networks, Inc. suffered a massive data breach in 2016, which cost 412 million users their accounts. Not only were the usernames and passwords stolen, but 15 million deleted accounts were also included in the mix.
Adult Friend Finder is an adult dating/entertainment website that calls itself the “world’s largest sex and swinger community.” Along with Adult Friend Finder, data accounts from Cams.com and Penthouse.com were also accessed in the data breach.
A security researcher named “Revolver” first discovered the breach. In Friend Finder hack, sensitive data regarding member’s sexual preferences, extramarital affairs, and purchases made on the site was lost. This latest breach, however, appears to have only compromised accounts. Friend Finder executives have been slammed in the media for poor security practices, and they have not publicly commented on the data breach.
Unique Dangers of the Adult Friend Finder Breach
The sheer volume of lost information set the Adult Friend Finder attack apart from other breaches that year. However, it was the explicit nature of the website’s content that made the event particularly dangerous.
While society’s attitude toward sexual freedom has evolved tremendously in the past decade, most people still prefer to keep their intimate activities private. People using adult dating or pornographic sites tend to leave their inhibitions behind and interact with content they wouldn’t publicly share.
Users may be ashamed or embarrassed by what they do or say on sites like Adult Friend Finder. This circumstance opens up many new ways for criminals to leverage leaked information. Along with potential identity theft, users are at risk of being blackmailed as well.
When Was the Adult Friend Finder Data Breach?
After investigating, cybersecurity officials believe the Adult Friend Finder data breach occurred before October 20, 2016. Friend Finder was warned by Revolver on October 18, 2016, about the potential vulnerability. Along with the accounts, evidence of source code from their websites and public/private key-pairs also showed up available online for purchase on the dark web.
How Adult Friend Finder Responded to the Attack
Adult Friend Finder did very little in response to the attack. It wasn't until a week after they announced the breach that the site began notifying its users. By then, an independent hacker had already released the news much more directly.
Little to no communication followed besides an initial press release recommending that users update their passwords. Users reported that the password requirements didn't change after the breach and weren't even case-sensitive
Adult Friend Finder 2015 Breach
It seems that some hard lessons need to be learned twice. Adult Friend Finder's 2016 breach wasn't an isolated incident. They experienced a prior attack under similar circumstances less than two years prior. This previous breach lost the credentials, card information, and site history of 3.5 million users.
Due to the sensitive material that the site worked with, leaked information also included sexual orientation, fetishes, and if the user was seeking an affair. The attack was carried out by a Thai hacker who released the data on the dark web.
The 2015 breach wasn't nearly as impactful as the one in 2016, but it should have served as a wake-up call to the company. The fact that similar cybersecurity weaknesses were targeted during both incidents indicates a severe lack of awareness.
How Did the Breach Happen?
After the 2015 breach, Adult Friend Finder's weaknesses were laid bare. After the site failed to update to newer protocols, a larger-scale attack was inevitable.
A white-hat hacker released news of the 2016 breach with the screen name "Revolver." This individual located an LFI vulnerability (local file inclusion) activated in the photos shared in promotions. An LFI is typically found in poorly written code and involves a third-party adding new inputs into files before they're transferred to a server.
Afterward, investigations found that nearly all of the server's passwords were stored in plain text. Proper security systems use advanced encryptions that protect passwords and other information even if criminals manage to steal them.
Adult Friend Finder's defenses were so exploitable because they'd been largely untouched since 1996. Cyberthreats are evolving rapidly, and entire professions have formed around locating weak points in a server. Neglecting online security for so long can be construed as professional negligence, and the site even had a class action lawsuit filed against it.
Did the Breach Affect Adult Friend Finder?
Yahoo experienced a phishing-based data breach in 2013 that cost the retailer an estimated $350 million. Much of this damage was caused by people's loss of trust in Target and increased reluctance to shop at their stores.
Surprisingly, Adult Friend Finder didn't go through the same backlash. Its average monthly visits kept strong and currently sit at 50 million, which puts it in the top 15 most popular sites in the adult industry. Most of this traffic comes from English-speaking regions in the west.
As of 2021, the site had over 80 million users globally, with the cheapest subscription costing $20 per month. This level of success makes it comparable to industry heavy hitters like Hinge, OkCupid, and Tinder.
Analysts conjecture that this resilience to reputational damage comes from the type of content Adult Friend Finder engages with. Also, affected parties are less likely to complain about their lost data since that would mean openly admitting to using the site.
How the Breach Could Have Been Prevented
Adult Friend Finder's general apathy toward updating its security systems painted a giant target on its back. The 2015 breach can be viewed as a probing tactic, with the more significant and devastating attack following later.
Utilizing a more complex encryption system for passwords and other member data would have made the site a much less enticing target. However, their security measures must have failed at various steps to allow the password collection in the first place.
Standard cybersecurity practices employ a combination of hybrid cloud security, web application firewalls, and email security to stay secure. These systems automatically update or are manually reconfigured to handle new threats. Staying up to date is essential in ensuring your team is consistently warned of any problematic files or programs.
Regular inspections and testing play a large part in helping a site better understand its weaknesses. This involves hiring a white-hat hacker (or keeping an internal team) to attack the company's security using a variety of tactics.
The size of Adult Friend Finder's breach was caused by keeping deleted account data on the servers. Despite only having about 80 million active accounts, the breach lost over 400 million users' information.
Old accounts are often unmonitored, so the business isn't warned that the user was breached. Microsoft, Yahoo, and Apple archive dormant accounts, making them far more difficult to access even with the correct login credentials. If Adult Friend Finder had implemented a similar archiving system, it would have heavily reduced the number of compromised accounts.
How to Check if You’re a Victim of the Adult Finder Hack
The friend finder leak data contained usernames, email addresses, and passwords. There is no online method for looking up whether or not your data is on adult friend finder hack list, but if you are a member of FriendFinder.com, your user account was affected.
Additionally, because Adult Friend Finder acts as an umbrella company, the breach also affected the many sites it manages. These include:
These sites collectively lost roughly 62 million counts of user data. They also stored passwords using a combination of easily broken plain text and SHA1 hashing.
What to Do if Your Data Was Breached
The first thing you should do is change your password to something very secure. Use a complex combination of letters, numbers, and symbols. Some other precautions to take are:
- Be on the lookout for phishing emails. Your information could be used to intimidate you or extort money from you.
- Cancel any credit cards used on the website.
- If you used the same password on any other sites, change those as well.
- Keep an eye on your credit and sign up for credit monitoring with a company like IDStrong.com.
- Consider a credit freeze so no one can open up new accounts in your name.
Report the incident to Adult Friend Finder to let them know your information has been used for fraud or other illicit purposes.
Can Adult Friend Finder Hacked Information be Used for Identity Theft?
Due to the sensitive nature of the website content and purpose, the stolen accounts are more at risk than most others. In the theft, there were 78,301 who registered for the website using a military email address and another 5,650 that used a .gov (government worker) address. These members are at extreme risk of being extorted or having their identity stolen. For the millions of regular users, they too are in danger of phishing scams, viruses, malware attacks, and identity theft. The information ended up on the dark web and you should be aware that you may become a target because of this data breach. Be extra careful and learn what steps to take to protect yourself.
How to Prevent Data Breach
When signing up for an account with any type of website, you take a risk entering private information, even just your email address. To keep your life and your information private follow the steps below:
- Keep your computer and other devices updated with the latest operating system, security patches, and antivirus software. Run deep scans often.
- Use only one credit card online for purchases and check the monthly statement carefully.
- Never give out personal information online if you don’t have to.
- Monitor your credit reports and bank statements; look for fraudulent charges.
- Change your passwords often and make them very complicated.
- Watch for phishing or scam emails.
- Never click a link in an email or open any attachments.
You cannot be too careful online. Always use common sense before entering information into a web page, and look for security certificates before making any payments. Stay on top of data breaches and respond quickly if you are affected