Adult FriendFinder Data Breach

Adult FriendFinder Data Breach

DISCLAIMER: The purpose of this blog post is NOT to discuss the morality of Adult FriendFinder, the morality of “hook-up” websites, or the morality of hacking/cyber-attacks. This is post about the attack(s) and subsequent dumps of several Gigabytes (GB) of data.

Adult FriendFinder Data Breach
Adult Friend Finder

Timeline of Notable Events

1996

An online adult entertainment community, FriendFinder, is created by Stanford Ph.D. student, Andrew Conru.  The website boasts itself as the “world’s largest sex and swinger community” that serves as a way of “bringing in like-minded people together for fun, intimacy and love.”

2005

FriendFinder merges with Cams.com, creating one of the world’s largest live model webcam providers.

 2015

Adult FriendFinder becomes victim of a hacker nicknamed, ROR[RG], who reportedly demanded a ransom of $100,000.  No credit card information was found in the data dump.  Whether it was part of the original intent or just a fringe benefit, 3.5 million users became susceptible to potential humiliation.  In addition to usernames, passwords, email addresses and zip codes, the intimate details of sexual fantasies and preferences were included.  The victims also included high-ranking government and military personnel.

FriendFinder Networks, Inc. partners with cyber forensics firm, Mandiant, and law enforcement to investigate the breach. The parent company of Adult FriendFinder vows to take additional precautions to protect their customer base.

2016

February

Penthouse Global Media, Inc. acquires the brand rights of Penthouse from FriendFinder Networks, Inc. FriendFinder Networks still own Adult FriendFinder.

September

Multiple sources advise that Local File Inclusion (LFI) vulnerabilities were identify by a researcher that goes by the name 1×0123 aka Revolver.

October

Adult FriendFinder is purportedly breached for the second time 17 months.

November

The breach notification website, LeakedSource, was the first to provide a detailed account of the data breach on November 13th.

FriendFinder Networks, Inc. has acknowledged the existence of some vulnerabilities, but remains tight-lipped in regards to any compromised information.  FriendFinder Networks, Inc. has hired Edelman firm to handle their crisis PR.

Scope of Attack(s)

According to LeakedSource, 412,214,295 user accounts were impacted.

An approximate breakdown by account type:

  • Adult FriendFinder: 339 million
  • Cams.com: 62 Million
  • Other Affiliates such as (former) Penthouse, iCams and StripShow: 13 million

Compromised user information included the following:

  • Usernames
  • Email addresses (including approximately 16 million “deleted” email addresses.)
  • Passwords
  • Date of Last Visit

Other important information was obtained such as database schemas.

Top Passwords (per llewellynnjean on Reddit):

Adult FriendFinder Data Breach

  1. 123456 (~900,00 instances)
  2. 12345 (~625,000 instances)
  3. 123456789 (~600,000 instances)
  4. 12345678 (~150,000 instances)
  5. 1234567890 (~125,000 instances)
  6. 1234567 (~120,000 instance)
  7. password (~100,000 instances)
  8. qwerty (<100,000 instances)
  9. qwertyuiop (<100,000 instances)
  10. 987654321 (<100,000 instances)

Possible Causes

Local File Inclusion Vulnerability

This basic type of vulnerability could possibly allow someone to execute malicious code and steal data using the company’s web server.  With an online community, the potential for exposure is increased due to the required use of user-generated content that is generated and then uploaded to the site.  If input is not properly validated, an attack can easily be injected.

Some basic security measures to consider:

  • Input validation can be set so that any non-alphanumeric characters are flagged.
  • Commonly used phrases could be whitelisted.
  • Consistent and systematic patching with an appropriate level of urgency.

Password Requirements and Password Storage

A majority of the passwords were hashed with SHA1, but converted to lower case prior to storage.

The act of hashing takes any size of data and converts it into a fixed-length of data.  SHA1 is 160 bit hash function which changes data into 30 alphanumeric characters.  Of the passwords that were hashed, SHA1 is the type of hash function that was utilized by Adult Friend Finder.  The problem lies in the fact that SHA 1 is considered to be completely obsolete and was deemed so over 10 years ago.

The purpose of hashing passwords is so that in the event an attack is successful, the passwords are not readily viewable in plaintext.  In other words, the intention is not to prevent the breach, but to mitigate the impact should it occur.  There are methods such a dictionary attacks, brute force attacks and Rainbow Tables that can be used against hashed passwords.

A hashed password is only as good as the strength of the original password.  According to LeakedSource, the number one used password on the site was 123456.

Additional security measures can be taken by adding “Salt” and “Pepper” to the data before hashed and stored. “Salt” is a unique value that is added to a password before it gets hashed.   On the other hand, “Pepper” is randomly generated value that is held separately from the data to be hashed.  The hashed passwords involved in the incident were peppered.

Going forward, users should be required to use more complex passwords.  Also, a stronger hash function should be implemented.

Database Management

In addition to current patrons of the site, user accounts that were marked for deletion were also found.  As mentioned above, Penthouse Global Media, Inc. had purchased the brand rights to Penthouse.  Yet, 7 million of their members’ information was a part of the data dump.

Takeaways for the Readers

It is important to know that there is always some security risk associated with any online activity.  As an informed participant, know that certain site will carry more risks than others.  You cannot assume that best practices are being carried out by all companies.

  • There are a few additional methods that you can utilize to better protect yourself:
  • Create web-based email account specifically for online communities and mailing lists.
  • Create complex passwords and/or utilize a password manager.
  • Do not use the same password multiple times nor a slight modified version of the same password.

References

LeakedSource
CSO


OTHER APS POSTS

Beware: Walking Dead Phishing Schemes and Malware
NSA Secrets Stolen; Edward Snowden 2.0?
Kim Kardashian: An OSINT Cautionary Tale
Implications of Powershell Going Open Source
Yahoo Data Breach: What We Know Now
Most of What You Need to Know: Wi-Fi
Cybersecurity & the US 2016 Presidential Election
Most of What You Need to Know: Passwords
Twitter Hacked?
Change Your Email Password Now!
Qatar Bank Breached After Bangladesh
Bangladesh Bank Loses 80 Million USD

Thanks for stopping by and checking out our podcast. We would appreciate if you could subscribe (assuming you like what you hear; we think you will).  To learn more about us, check out our “About Us” page.

Enter your email address:


Delivered by FeedBurner

Subscribe to our mailing list

* indicates required



About Emily McCamy

Emily jokingly refers to herself as the “New Kid on the InfoSec Block”. She recently earned her associate degree in Cybersecurity from Chattahoochee Technical College, and will begin pursuing a Bachelor of Business Administration in Information Security and Assurance at Kennesaw State University in January 2017. She will also test for her CompTIA Security + Certification in early 2017. Emily is a Georgia native, and is proud to call the Peach State her home. In her spare time, Emily enjoys writing, cooking, watching college football, and listening to industry-related podcasts. You can follow her on Twitter @NKOTISB