Private data of millions of users leaked after one of the world’s biggest porn networks is hacked

Uh-oh.

The private details of over 412 million personal accounts have been leaked after Friend Finder Networks, one of the largest adult dating and pornography companies on the internet, was hacked. According to monitoring firm Leaked Source, Friend Finder Networks was hacked in October of this year via a Local File Inclusion exploit, releasing information from over 412 million accounts across more than five different websites. The vast majority of those accounts (a little under 340 million of them, in fact) belonged to adultfriendfinder.com, described on its website as “the world’s largest sex and swinger community”. Personal data from accounts registered with cams.com (a live sex camera site), Penthouse.com, stripshow.com, icams.com and another unknown domain were also leaked as a result of the hack. Leaked Source said of the hack that it was “by far the largest breach we have ever seen,” dwarfing the leak of almost 360 million MySpace accounts in 2013. It’s not the first time Friend Finder has been hacked either, having been subject to a similar data breach in 2015. Speaking to ZDnet, Friend Finder Networks vice president and senior counsel Diana Ballou didn’t confirm the data breach, but did say that they were investigating the matter and that customers would be updated. “FriendFinder has received a number of reports regarding potential security vulnerabilities from a variety of sources,” he said. “While a number of these claims proved to be false extortion attempts, we did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability.” While the identity of the hackers is unclear, it would appear as if Friend Finder was extremely vulnerable to such an attack. Leaked Source said: “Passwords were stored by Friend Finder Networks either in plain visible format or SHA1 hashed (peppered). Neither method is considered secure by any stretch of the imagination and furthermore, the hashed passwords seem to have been changed to all lowercase before storage which made them far easier to attack but means the credentials will be slightly less useful for malicious hackers to abuse in the real world. “At this time we also can't explain why many recently registered users still have their passwords stored in clear-text, especially considering they were hacked once before,” they added.