There appears to be evidence that user information belonging to the Friend Finder Network of adult sites - including AdultFriendFinder, self-described as "one of the world's largest sex hookup" sites, and various pornographic sites such as Cams.com and Penthouse.com - was stolen by hackers in October. Worse yet, it appears that the sites may have maintained information on deleted accounts - so, even people who had accounts and later deleted them may be exposed. Passwords - apparently improperly protected on the adult network - may have leaked as well.
Here is what seems to have happened:
In October, a researcher who goes by the name "1x0123" on Twitter (and "Revolver" elsewhere), posted screenshots showing a Local File Inclusion vulnerability (LFI) being exploited on the Adult Friend Finder site. An LFI vulnerability is a mistake in the code running on a website, that when exploited by hackers allows them, in most cases, to force the vulnerable site to display information from files found on the site's server. (It can actually allow much more - sometimes allowing execution of a particular file that should not be executed - but I simplify for the sake of this article.) Instead of a website returning the proper result to a query for information, for example, it might send to the user's web browser the contents of a sensitive file such as a user database found on the server.
According to Leaked Source, which initially reported the breach, data within the dump from Friend Finder included almost 16 million records with email addressed in the format "email@example.com@deleted1.com," potentially indicating that the site was maintaining records for users who had deleted accounts.
Additionally, Leaked Source reports that leaked passwords were stored in a mix of plain text - i.e. with no encryption or hashing - or using the SHA1 hashing (peppered), which is no longer considered sufficiently secure for password storage. While, according to Leaked Source, the hashed passwords were converted to all lowercase before storage making replay by hackers against other sites more difficult than if their original cases had been preserved, the sheer volume of compromised passwords likely means that some passwords will work as is on other sites.
In a statement made last week, Friend Finder stated that: "We are aware of reports of a security incident, and we are currently investigating to determine the validity of the reports. If we confirm that a security incident did occur, we will work to address any issues and notify any customers that may be affected."
Ironically, last year Friend Finder also suffered a breach; in that case, an estimated 3.5 million account holders had their information exposed. At the time, FriendFinder is reported to have hired FireEye to investigate.
If the reports from Leaked Source are accurate, it would appear that whatever steps were taken to short up security after the first breach - if any - were woefully insufficient.
Interestingly, there appear to have been tens of thousands of .gov and .mil email addresses in the dump -- raising serious questions about the purposes for which some government and military email accounts may have been used.
The lesson to be learned: If you are going to use any website that you do not want anyone else knowing that you used, do not use your real information on the site. Even better, don't use the site at all.