Ashley Madison Nightmare Rehashed with Adult FriendFinder Hack

Media Division | November 21, 2016

Hackers work for all kinds of reasons, some even altruistic. The lines between white hat hackers and black can get a little blurry at times. For example, when it comes to hacking private sex lives, is it a white hat exposure or a black hat extortion? Last year, the Ashley Madison hack possibly led to failed marriages and even a couple of reported suicides, but may have had a white hat underlying motivation.  Now we have the Adult FriendFinder leak, reportedly 10 times the size data breach of Ashley Madison.

To date, we don’t know the why or even the who behind the attack.

Your Worst Nightmare

When it comes to cybersecurity, what’s your worst nightmare?  Stolen credit card information, for yourself and your customers? Identity theft or an HR breach? Lost productivity (and the accompanying cost) if your business gets hijacked by ransomware?  For some, an affair being made public would be their worst nightmare.

When Ashley Madison got hacked, the results were published and searchable.  The data dump included names, passwords, even addresses and phone numbers.  Among them were some 15,000 .gov email addresses, available to all for political defamation.  Millions of payment transactions, seven years’ worth, were leaked.

Ashley Madison specifically advertises as an extramarital affair service, and that very private activity became very public.  Now, the Adult FriendFinder breach means approximately 13 times more user profiles leaked.

The FriendFinder Family

Adult FriendFinder.com advertises itself as the “world’s largest sex and swinger community.”  They claim to have over 100 million users, but ZDNet was able to analyze their data and found that over 200 million users hadn’t logged on since 2010.  They were also able to validate several of the accounts, data which was originally leaked on LeakedSource and denied and evaded by FriendFinder.

To date, an estimated more than 400 million user accounts have been leaked. AdultFriendFinder.com accounts for the largest portion of the hack, with 330 million accounts leaked.  Even 15 million user accounts that had been marked as deleted were leaked (so if you signed up while drunk, then deleted it, your data still might be hanging out there on the interwebs).

Then there’s Cams.com, an adult sex talk site (62 million accounts) and even 7 million accounts form Penthouse.com, which didn’t even belong to the FriendFinder family anymore.  Data was available in plain text or coded with SHA-1 (Secure Hash Algorithm 1).

Altogether, this is being called the largest hack of 2016.

What This Hack Does to Security

Even if you were not personally registered on any of the FriendFinder family of accounts, this breach raises some alarming questions for businesses with an online component as well as users of any website, hookup in nature or not. Points to consider:

• Every breach makes other sites less secure.  Like we saw with the LinkedIn > Dropbox hack, and despite every experts best warnings, users use the same user names and passwords on multiple sites.  A data dump of more than 400 million user names and passwords may lead to breaches on other sites, which in turn lead to breaches of other users.  Your Twitter account may get hacked because of someone else FriendFinder account.

• Hackers share data. Ars Technica reported that this hack came via a Local File Inclusion exploit, allowing attackers to “include files located elsewhere on the server into the output of a given application.”  When that data, whatever it was, exported, it brought with it all of this user information.  As other hackers get the specifics on this breach, similar attempts will be made on other sites.  That’s just another way that each attack makes other sites less secure.

• You don’t always know what “secure” means.  Had the FriendFinder users known that SHA-1 was the password encryption method used by their host, would they still have created a login?  Perhaps not.  The point is, when you login to a secure site, or create a user name and password, you don’t always know what security protocols are in place at that company.  It’s a leap of faith, taken with every one of the dozens of user names and passwords we all have.

It all sure makes for some deep thoughts, especially since we are talking about a hookup site.

MEDIA DIVISION
Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.