Tag Archives: Adult Friend Finder

Adult Web Site Hacked – 400 Million IDs Hacked

Adult Friend Finder, which bills itself as the largest sex and swinger community, was hacked, for the second time in a year.


Last year was small beans.  Last month it was:

  • Adultfriendfinder.com – 339 million
  • Cams.com – 62 million
  • Penthouse.com – 7 million (and they don’t even own the web site any more)
  • Stripshow.com – 1 million
  • iCams.com –  1 million

What is interesting is that they were hacked with an exploit called a local file inclusion attack.  With this kind of attack, the hacker tricks the web site to coughing up some file that exists on the web site.  In this case, the web site’s own password file.  GAME OVER as someone who used to work for me would say.

Among the IDs that were leaked were about 15 million that were marked deleted, but apparently were not actually deleted.

On top of this, the passwords were either not encrypted at all or weakly encrypted.  For Adultfriendfinder.com, 103 million were not encrypted and 232 million were weakly encrypted.  99% of those have been decrypted.  The numbers for the other sites were just as embarrassing.

The good news is that, hopefully, the passwords that people used there were not used elsewhere.  The top passwords were 123456, 12345, 123456789 and 12345678.  Unfortunately, those only add up to around 2 million of the 400+ million passwords compromised.

One more time, people are using their work emails to register for adult web sites.  5,650 .Gov emails and 78,000 .Mil emails.  We don’t know, yet, how many company emails were included, but we will. Have people not heard of Gmail?  Granted, in the context of 400 million, these numbers are very small, but still…..

Initially when the hacker told them about the hack, he says they told him he was a fraud.  Getting a bit upset about being called a fraud, he dumped the database on them.  Oops.

In addition to the user information being hacked, their source code and their private encryption key is now being circulated.

I am sure that they are still trying to assess the damage, but all they have admitted to is that userids, emails and password were compromised.  Looking at the tables that were made available, it sure looks like there may be more.  All in all about 90 databases were supposedly stolen.

Lessons to learn:

  1. If someone contacts you and says he has hacked you, be careful about dismissing him.  The fact that you have not been able to verify the claim doesn’t mean it isn’t real.
  2. Really.  UNENCRYPTED PASSWORDS?  In 2016?  Come on!
  3. If you say you are going to delete people’s identities, actually do that.
  4. If you are hacked once, up your security game.
  5. Don’t use weak encryption.
  6. You better have your incident response plan ready.  Or your resume.

The data, supposedly, goes back 20 years, so people who were members while they were in high school or college are likely still in the system and were compromised.

For email phishing, this is likely fertile ground, so expect all kinds of phishing attacks to come out of this.

One more time, a company did not, apparently, take security seriously and are now going to have to deal with that fact.


Data for this post came from Leaked Source (great post), CSO Online and Ars Technica.



Adult Dating Site Hacked; Member’s “Interests” Revealed

CNN and others have reported on the hacking of the adult dating site AdultFriendFinder, where members enter their interests in non-traditional sexual relationships.  Over 3 million members “interests” and other information were revealed in the data released so far.

According to the site, it has  “helped millions of people find traditional partners, swinger groups, threesomes, and a variety of other alternative partners.”  AdultFriendFinder claims to have over 60 million members, but data has been released on only around 3.5 million of those members.  Whether the hacker has more data to release later or not is unclear.

Information revealed includes email address, birthday, password and sexual preferences.  From this information, it is pretty easy to use social media and Google to figure people’s names.

The Mirror is saying that nude pictures of members were also part of the hacked data.

CIO magazine said that credit card data may be among the hacked data as well, but removed from the data available for sale.  They said the database is available for 70 bitcoins or around $17,000.

The hacker who claims to have done this said that he attempted to blackmail the site for $100,000, which I gather they did not pay.

Other hackers on the forum said that they planned to use the information to attack victims.  Apparently, a number of the members are government employees, including law enforcement.  One potential form of attack would be to blackmail the victims.

FriendFinder Networks, who owns the site along with other adult sites and publications, said that they didn’t know the extent of the breach, but were working with law enforcement and Mandiant.

In a statement they said “We cannot speculate further about this issue, but rest assured, we pledge to take the appropriate steps needed to protect our customers if they are affected,”

I am not sure how they might protect their customers – I don’t think there is reputation protection insurance available.

While users of a site like this should have an expectation of privacy, this should be a reminder that there are no guarantees.