Adult dating site Adult FriendFinder has reportedly suffered an almost total hack of its user files, with hackers breaching 412 million accounts.
Poor Security Means Even ‘Deleted’ Accounts Hacked
The huge figure dwarfs previous attacks on the site and its partners, of which there have been several in recent years. Commentators are already blaming substandard security.
So far, the company has given no direct acknowledgment that any of the site’s property was compromised. Adult FriendFinder’s social media feeds do not mention anything wrong at all.
“Immediately upon learning this information, we took several steps to review the situation and bring in the right external partners to support our investigation,” a statement issued over the weekend reads.
The news first came to light via Leaked Source, a so-called “breach notification site”. It warned of significant attacks — not just to Adult FriendFinder accounts but also those of its sister sites. The hack included even 15 million ‘deleted’ accounts, which the site kept for unknown reasons.
“While a number of these claims proved to be false extortion attempts, we did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability,” ZDNet quoted from an email by CEO Diana Ballou.
Leaked Source also said it was able to crack 99.3% of all the passwords from the main site database, and up to 99.9% from subsidiary site databases.
The perpetrator remains unknown, for now. The timing is notable, in that it occurred just after a security researcher called “Revolver” exposed another security flaw on Adult FriendFinder’s site.
ZDNet continued, however, that “When asked, Revolver denied he was behind the data breach, and instead blamed users of an underground Russian hacking site.”
Adult FriendFinder Did Use Legacy Encryption
A silver lining could lie in the fact that the nature of information held in user accounts is relatively impersonal.
A previous attack on 4 million accounts in 2015 exposed items such as users’ sexual preference and purchasing information, which appear to be absent from this year’s giant hoard.
Nonetheless, security at Adult FriendFinder is already under suspicion.
Items such as usernames, email addresses and passwords are stored in plaintext or using SHA-1 encryption, which experts consider insufficient under current best practices. Solutions such as 2-factor authentication could have easily helped avert a breach of this magnitude.
The site meanwhile said it had been receiving alerts “over the past several weeks”, seemingly reflecting issues in control and understanding of security.
What do you think about the Adult FriendFinder hack? Let us know in the comments section below.
Images via Shutterstock, Adult Friendfinder
If you would like to know more about how the Blockchain can help fight security lapses, search our News section or post your queries to the Bitcoin.com Forum.