Security Encyclopedia

AdultFriendFinder Security Breach

Five Things To Know about the Most Sensitive Security Breach

In mid-November 2016, technology and mainstream news outlets reported that AdultFriendFinder, a popular dating site had suffered a major data breach. The breach, which took place in October but went unannounced for weeks, involved an astonishing 412 million users. Subscribers, former subscribers, and the world immediately took notice. The very nature of dating platforms involves enriching one’s profile with personal attributes and, in this case, provocations, remarks and other flourishes one would only make in an assumedly closed setting. Among the site’s paid features are e-mail, private chat rooms, webcams, blogging, and a webzine, all fertile ground for compromising or incriminating evidence — if it should be revealed

AdultFriendFinder is a subsidiary of FriendFinder, Inc. (“FriendFinder Networks”) located in Delray Beach, South Florida. The name is familiar because they suffered a breach less than two years prior to the 2016 one, which was one of that year’s and history’s biggest.

Image credit: Bank Info Security

Here are five things to know about the AdultFriendFinder security breach, the most sensitive among large data breach incidents. 

1. AdultFriendFinder suffered a similar data breach less than two years earlier.

The 2016 AdultFriendFinder security breach follows a similar 2015 breach of the service. This first breach saw 3.5 million records exposed. The information on users was first posted on the dark web on 15 verified CSV files with 27 fields, data that included P address, email, handle, country, state, zip code, language, sex, race, and birth date. The leaked data also included the users’ sexual orientation and whether the subscriber was seeking an extramarital affair. The 2015 breach was the handiwork of a Thai hacker using the handle ROR[RG], who was active on the Hell forum, a secretive Tor onion service. He posted that his reason for the hack was retribution on behalf of a friend who the company owed $247,938.28, and he later posted a $100,000 USD ransom demand to deter further leaks.

2. AdultFriendFinder’s second breach was one of 2016’s largest.

The combined number of records in the 2016 breach, the site’s second in less than two years, was a whopping 412 million records. Information in this second breach contained usernames, emails, join dates and the date of a user’s last visit as well as unprotected or poorly protected passwords. The stolen data consisted of 339 million AdultFriendFinder user accounts, including 15 million “deleted” user accounts, some of them dating back two decades, ones that site operators failed to expunge from their systems. The balance of the records were from AdultFriendFinder affiliate sites Cams.com (62m), iCams.com (1m) and Stripshow.com (1m), as records of its then-owner, Penthouse (7m). Put in context, in 2016 the two Yahoo! security breach revelations encompassing the largest breach in the Internet’s history failed to overshadow news of the AdultFriendFinder debacle. This is likely due to the latter’s racy user information as compared to the more mundane information on Yahoo! users.

3. An AdultFriendFinder breach or similar one can be…sensitive.

With 412 million combined AdultFriendFinder and affiliate sites users affected, the AdultFriendFinder breach is notable for the amount. Its total is about 13 times the amount of users affected by the 2015 Ashley Madison (32m) security breach perpetrated by the Impact Team. A breach of this kind, however, has the added downside of being awkward and embarrassing for those affected. Users on these sites also abandon discretion and they often reveal a lot of information that, truth or fantasy, they would not want traced back to their true identity. There’s an expectation that sites hosting such data and the features around them do not play fast and loose with matters of confidentiality. More distressing, 78,301 users affected by the 2016 breach used a military email address and another 5,650 used a .gov address, especially worrisome due to the potential for identity theft, extortion, and spear phishing.

4. AdultFriendFinder’s operators took security lightly.

It would appear that the 2015 breach did not serve as an adequate wakeup call for AdultFriendFinder’s operators, as it was followed by a far more serious 2016 breach. The same exploit used in 2015 to enter the network was used again in 2016. In the aftermath of the 2016 breach, a white-hat hacker going by the name Revolver, and by 1×0123 on Twitter, revealed a Local File Inclusion vulnerability (LFI) being triggered in photos shared with the media. In the photos, it was still active as the breach was ongoing. LeakedSource said of the 2016 breach that 99 percent of passwords were in plaintext or easily crackable. Some have noted the fact that AdultFriendFinder dates back to 1996, making its systems likely to be outdated. This, however, is further cause for the 2015 incident to have inspired a complete overhaul. 

Image credit: Silicon Republic

5. AdultFriendFinder still thrives despite its breaches.

Despite its security issues and the exposure of user data they’ve caused, AdultFriendFinder is still flourishing. SimilarWeb ranks the site #180 in the US, and #14 in the Adult category globally. The site attracts 50 million visits monthly on average, heavily from the US and larger ones within the Anglosphere, the English-speaking countries of Canada, the UK, and Australia. With the most affordable Gold subscription at $19.95 per month for a 12 month commitment, that’s a great deal of money for a reputation-impaired website. The site continues to be reviewed and compared to OkCupid, Zoosk, and even more mainstream sites such as Match.com.

Fifty million English-speaking users are unfazed by the AdultFriendFinder incident. For millions more, it hopefully stands as a reminder to expect what you post on the Internet to potentially be divulged to the world. It also, again hopefully, is a reminder to take one’s own security seriously and to expect more from all service providers, including social platforms. Legal experts note that in the AdultFriendFinder and Ashley Madison cases, users are loath to seek remedy because it begins with a discussion around private topics. This is an even greater cause to consider security before the need for it is demonstrated, not after.

That’s five things you now know about the AdultFriendFinder security breach. For a summary of the 2016 incident, watch the CNET video below.