Friend Finder Networks Data Breach Compromises 400M Accounts

A data breach at Friend Finder Networks, which runs sites like AdultFriendFinder and Cams.com, affected the accounts of more than 400 million people.

Researchers at LeakedSource said the breach occurred in October 2016. The site typically allows people to search compromised data to see if they have been affected by a hack, but the sensitive nature of many of Friend Finder Networks' properties convinced LeakedSource not to make the information available to the public. They did, however, reveal how Friend Finder Networks failed to secure customer data even after it was hacked in early 2015.

The most notable problem is that many passwords were stored in plain text or with flawed SHA1 hashing. Neither is particularly secure, which means that anyone who stole Friend Finder Networks' data would probably be able to learn the passwords of essentially anyone who used one of its services. This could reveal their personal information, allow them to be impersonated online, and cause other problems for a little less than half a billion people.

Failing to secure these passwords could also make other accounts vulnerable. Many people re-use passwords across multiple sites, which means that a breach at one can have a domino effect that puts someone's entire digital life at risk. Having access to someone's accounts could also enable phishing attacks like the ones already taking place on email and Skype thanks to passwords that were compromised by a LinkedIn data breach from 2012.

This means that well more than 400 million people are at risk because of this data breach. Phishing attacks don't often restrict themselves to just a few victims; they target anyone connected to a compromised account. Whether you ascribe to the belief that there are only six degrees of separation between any two individuals or not, it's  easy to see how those hundreds of millions of accounts could be used to target well over a billion people.

Friend Finder Networks made the problem worse by not deleting customer data. LeakedSource said that it found roughly 15 million accounts belonging to email address that ended with "@deleted.com"--a domain that none of the sites allow during the creation of a new account. This implies that Friend Finder Networks stored customer data even if someone tried to delete all of their information and used the modified email addresses to cover its tracks.

Here's what LeakedSource said about this practice:

We've seen this situation many times before and it likely means these were users who tried to delete their account but the data is obviously still kept around because you know, we're looking at it. According to a reporter it is impossible to register an account using an email that's formatted this way which means the addition of "@deleted.com" was done behind the scenes by Adult Friend Finder. So counting the amount of emails with "@deleted" near the end, we have 15,766,727 "deleted" accounts in AdultFriendFinder.com.

LeakedSource also obtained information about the email addresses used to sign up for these websites, how much traffic services like AdultFriendFinder received, and more. The sheer number of people affected by this breach, and the amount of information made available to whoever compromised the Friend Finder Networks system, could make this the worst hack of 2016. (And that's before the sensitive nature of these sites is taken into account.)

All of this is even more frightening given Friend Finder Networks' hack of 2015. The company said at the time that it was working with the FireEye security firm and law enforcement agencies to investigate the breach, which is estimated to have affected 4 million people. Yet whatever the company did must not have been enough--it was not only hacked again less than two years later, but it failed to take even basic security precautions, too.

That leaves little hope for the so-called "Internet of Threats" borne from insecure Internet of Things products. These devices can be used to take down major websites--which is what happened in October when Dyn was targeted by a massive DDoS attack--and yet manufacturers still haven't made their security a priority. Politicians have called for regulators to change that, but if a company devoted to camshow and hookup sites can't so much as  properly hash user passwords after it was hacked the first time, who's going to believe that many other companies will ever take security seriously?

Friend Finder Networks has not yet commented on this breach. Tom's Hardware reached out to the company and will update if it responds.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • bit_user
    Wow, I remember seeing ads for that like ... 10 years ago? I don't know whether to be more surprised that they still existed or that so many people signed up. I wonder how many of those accounts are duplicate or otherwise fake.
    Reply