Adult FriendFinder Hack Exposes 412 Million User Accounts

Adult FriendFinder
  • Contributed by:
  • Views: 1,818

A hack against popular adult dating and entertainment company FriendFinder Networks has exposed personal data linked to more than 412 million user accounts. The breach is one of the largest in history, and marks the second such incident at the company in two years.

Nearly 340 million accounts from the company’s flagship site, Adult FriendFinder, were compromised according to a report from LeakedSource. The hack also targeted other sites owned by FriendFinder Network, including Cams.com, and records from Penthouse.com, which was sold in February.

The Adult FriendFinder data stretched back 20 years. Information such as usernames, emails, and join dates was stolen, along with account passwords (the majority of which featured unsecured protections or none at all) and membership data like VIP status and browser information. The cache also appears to include 15 million email addresses from deleted accounts.

The response from FriendFinder Networks has left many users angry. The company refused to confirm or deny the breach initially, but said in a statement that it had “received a number of reports regarding potential security vulnerabilities from a variety of sources” and was in the process of taking “several steps to review the situation and bring in the right external partners to support our investigation."

It wasn’t until recently, a week after publicly admitting that its sites had been compromised, that FriendFinder Networks began directly informing users that their data had been stolen. Several users contacted ZDNet to say they were only alerted to the security issue from a message in the user’s inbox after they’d logged into one of the sites. Although they’d heard about the hack from the media, they hadn’t received any direct communication from the company.

That’s a problem both because a reputable company should be proactive in situations like this, and because any members who no longer use the site (the number is reportedly over 200 million) may not receive news of the hack. All FriendFinder Networks has offered is a vague press release posted two days after the breach.

The statement offered users little comfort or useful advice. It claimed that the company is "in the process of notifying affected users to provide them with information and guidance on how they can protect themselves," but gave no timeline on delivery.

It also said that FriendFinder Networks "encourages" users to change their passwords. “Encouraging” rather than requiring that passwords be changed is an oddly passive approach to a serious problem, as most security professionals consider changing passwords to be standard practice after any kind of data breach.

The small bright side here? LeakedSource said it will not make the hacked data searchable because of the nature of the breach. At least someone is taking public, proactive action.