Adult FriendFinder Data Breach
DISCLAIMER: The purpose of this blog post is NOT to discuss the morality of Adult FriendFinder, the morality of “hook-up” websites, or the morality of hacking/cyber-attacks. This is post about the attack(s) and subsequent dumps of several Gigabytes (GB) of data.
Timeline of Notable Events
An online adult entertainment community, FriendFinder, is created by Stanford Ph.D. student, Andrew Conru. The website boasts itself as the “world’s largest sex and swinger community” that serves as a way of “bringing in like-minded people together for fun, intimacy and love.”
FriendFinder merges with Cams.com, creating one of the world’s largest live model webcam providers.
Adult FriendFinder becomes victim of a hacker nicknamed, ROR[RG], who reportedly demanded a ransom of $100,000. No credit card information was found in the data dump. Whether it was part of the original intent or just a fringe benefit, 3.5 million users became susceptible to potential humiliation. In addition to usernames, passwords, email addresses and zip codes, the intimate details of sexual fantasies and preferences were included. The victims also included high-ranking government and military personnel.
FriendFinder Networks, Inc. partners with cyber forensics firm, Mandiant, and law enforcement to investigate the breach. The parent company of Adult FriendFinder vows to take additional precautions to protect their customer base.
Penthouse Global Media, Inc. acquires the brand rights of Penthouse from FriendFinder Networks, Inc. FriendFinder Networks still own Adult FriendFinder.
Multiple sources advise that Local File Inclusion (LFI) vulnerabilities were identify by a researcher that goes by the name 1×0123 aka Revolver.
Adult FriendFinder is purportedly breached for the second time 17 months.
The breach notification website, LeakedSource, was the first to provide a detailed account of the data breach on November 13th.
FriendFinder Networks, Inc. has acknowledged the existence of some vulnerabilities, but remains tight-lipped in regards to any compromised information. FriendFinder Networks, Inc. has hired Edelman firm to handle their crisis PR.
Scope of Attack(s)
According to LeakedSource, 412,214,295 user accounts were impacted.
An approximate breakdown by account type:
- Adult FriendFinder: 339 million
- Cams.com: 62 Million
- Other Affiliates such as (former) Penthouse, iCams and StripShow: 13 million
Compromised user information included the following:
- Email addresses (including approximately 16 million “deleted” email addresses.)
- Date of Last Visit
Other important information was obtained such as database schemas.
Top Passwords (per llewellynnjean on Reddit):
- 123456 (~900,00 instances)
- 12345 (~625,000 instances)
- 123456789 (~600,000 instances)
- 12345678 (~150,000 instances)
- 1234567890 (~125,000 instances)
- 1234567 (~120,000 instance)
- password (~100,000 instances)
- qwerty (<100,000 instances)
- qwertyuiop (<100,000 instances)
- 987654321 (<100,000 instances)
Local File Inclusion Vulnerability
This basic type of vulnerability could possibly allow someone to execute malicious code and steal data using the company’s web server. With an online community, the potential for exposure is increased due to the required use of user-generated content that is generated and then uploaded to the site. If input is not properly validated, an attack can easily be injected.
Some basic security measures to consider:
- Input validation can be set so that any non-alphanumeric characters are flagged.
- Commonly used phrases could be whitelisted.
- Consistent and systematic patching with an appropriate level of urgency.
Password Requirements and Password Storage
A majority of the passwords were hashed with SHA1, but converted to lower case prior to storage.
The act of hashing takes any size of data and converts it into a fixed-length of data. SHA1 is 160 bit hash function which changes data into 30 alphanumeric characters. Of the passwords that were hashed, SHA1 is the type of hash function that was utilized by Adult Friend Finder. The problem lies in the fact that SHA 1 is considered to be completely obsolete and was deemed so over 10 years ago.
The purpose of hashing passwords is so that in the event an attack is successful, the passwords are not readily viewable in plaintext. In other words, the intention is not to prevent the breach, but to mitigate the impact should it occur. There are methods such a dictionary attacks, brute force attacks and Rainbow Tables that can be used against hashed passwords.
A hashed password is only as good as the strength of the original password. According to LeakedSource, the number one used password on the site was 123456.
Additional security measures can be taken by adding “Salt” and “Pepper” to the data before hashed and stored. “Salt” is a unique value that is added to a password before it gets hashed. On the other hand, “Pepper” is randomly generated value that is held separately from the data to be hashed. The hashed passwords involved in the incident were peppered.
Going forward, users should be required to use more complex passwords. Also, a stronger hash function should be implemented.
In addition to current patrons of the site, user accounts that were marked for deletion were also found. As mentioned above, Penthouse Global Media, Inc. had purchased the brand rights to Penthouse. Yet, 7 million of their members’ information was a part of the data dump.
Takeaways for the Readers
It is important to know that there is always some security risk associated with any online activity. As an informed participant, know that certain site will carry more risks than others. You cannot assume that best practices are being carried out by all companies.
- There are a few additional methods that you can utilize to better protect yourself:
- Create web-based email account specifically for online communities and mailing lists.
- Create complex passwords and/or utilize a password manager.
- Do not use the same password multiple times nor a slight modified version of the same password.
OTHER APS POSTS
Beware: Walking Dead Phishing Schemes and Malware
NSA Secrets Stolen; Edward Snowden 2.0?
Kim Kardashian: An OSINT Cautionary Tale
Implications of Powershell Going Open Source
Yahoo Data Breach: What We Know Now
Most of What You Need to Know: Wi-Fi
Cybersecurity & the US 2016 Presidential Election
Most of What You Need to Know: Passwords
Change Your Email Password Now!
Qatar Bank Breached After Bangladesh
Bangladesh Bank Loses 80 Million USD
Thanks for stopping by and checking out our podcast. We would appreciate if you could subscribe (assuming you like what you hear; we think you will). To learn more about us, check out our “About Us” page.