Adult Web Site Hacked – 400 Million IDs Hacked

Adult Friend Finder, which bills itself as the largest sex and swinger community, was hacked, for the second time in a year.


Last year was small beans.  Last month it was:

  • – 339 million
  • – 62 million
  • – 7 million (and they don’t even own the web site any more)
  • – 1 million
  • –  1 million

What is interesting is that they were hacked with an exploit called a local file inclusion attack.  With this kind of attack, the hacker tricks the web site to coughing up some file that exists on the web site.  In this case, the web site’s own password file.  GAME OVER as someone who used to work for me would say.

Among the IDs that were leaked were about 15 million that were marked deleted, but apparently were not actually deleted.

On top of this, the passwords were either not encrypted at all or weakly encrypted.  For, 103 million were not encrypted and 232 million were weakly encrypted.  99% of those have been decrypted.  The numbers for the other sites were just as embarrassing.

The good news is that, hopefully, the passwords that people used there were not used elsewhere.  The top passwords were 123456, 12345, 123456789 and 12345678.  Unfortunately, those only add up to around 2 million of the 400+ million passwords compromised.

One more time, people are using their work emails to register for adult web sites.  5,650 .Gov emails and 78,000 .Mil emails.  We don’t know, yet, how many company emails were included, but we will. Have people not heard of Gmail?  Granted, in the context of 400 million, these numbers are very small, but still…..

Initially when the hacker told them about the hack, he says they told him he was a fraud.  Getting a bit upset about being called a fraud, he dumped the database on them.  Oops.

In addition to the user information being hacked, their source code and their private encryption key is now being circulated.

I am sure that they are still trying to assess the damage, but all they have admitted to is that userids, emails and password were compromised.  Looking at the tables that were made available, it sure looks like there may be more.  All in all about 90 databases were supposedly stolen.

Lessons to learn:

  1. If someone contacts you and says he has hacked you, be careful about dismissing him.  The fact that you have not been able to verify the claim doesn’t mean it isn’t real.
  2. Really.  UNENCRYPTED PASSWORDS?  In 2016?  Come on!
  3. If you say you are going to delete people’s identities, actually do that.
  4. If you are hacked once, up your security game.
  5. Don’t use weak encryption.
  6. You better have your incident response plan ready.  Or your resume.

The data, supposedly, goes back 20 years, so people who were members while they were in high school or college are likely still in the system and were compromised.

For email phishing, this is likely fertile ground, so expect all kinds of phishing attacks to come out of this.

One more time, a company did not, apparently, take security seriously and are now going to have to deal with that fact.


Data for this post came from Leaked Source (great post), CSO Online and Ars Technica.



Leave a Reply

Your email address will not be published.