Friend Finder Data Breach Exposes 400M Swingers
Nov 19, 2016 10:35 AM PT
Hackers have stolen information of more than 400 million users of Friend Finder Networks, which runs several adult dating and pornography websites, LeakedSource reported earlier this week.
This is Friend Finders' second breach in two years. Last year, hackers accessed 4 million accounts, exposing information on users' sexual preferences and extramarital affairs.
Data of more than 412 million users was compromised in the latest breach, LeakedSource reported. Passwords taken in the breach were either in plain text or SHA1 hashed, and neither method could be considered secure.
The hashed passwords appeared changed to all lowercase before storage, making them easier to attack, the LeakedSource team noted. However, it also makes them less easy to use in the real world.
Whatever Hackers Want, Hackers Get
Friend Finder reportedly has been aware of potential security vulnerabilities for several weeks and has been taking steps to investigate them. Several reports of flaws apparently were extortion attempts, but one was an injection vulnerability that the company fixed.
Friend Finder did not respond to our request to comment for this story.
Friend Finder maintains that it takes the security of its customers seriously, as is typical of companies that suddenly find millions of their users' accounts hacked.
"It is hard to tell if a company that has been breached is lax in their security," said Jon Clay, director of global threat communications at Trend Micro.
"History has proven that hackers are able to penetrate many organizations regardless of their security controls," he told TechNewsWorld.
However, this case doesn't merit the benefit of the doubt, according to Stu Sjouwerman, CEO of KnowBe4.
"This is criminal negligence, as it's not the first time," he told TechNewsWorld.
"This hack is very similar to the data breach they had last year," Sjouwerman said. "Their procedures and policies are severely lacking. Even users who believed they deleted their accounts have had them stolen again. "
There were nearly 16 million accounts with @deleted1.com appended to them, LeakedSource said, which could mean Friend Finder decided to store information on accounts that users wanted deleted.
Friend Finder wouldn't be alone in such treatment of customers who asked to have their accounts deleted, noted Tony Anscombe, the security evangelist at Avast.
"It's very difficult to have a company delete your account data. Typically, the settings to do it are hidden. They don't want to delete you because they want to market to you going forward," he told TechNewsWorld.
"There has to be a better method across the whole industry of allowing somebody to remove their data from a database," he added.
Get Ready for Extortion
The consequences for users from the breach at Friend Finder likely will be similar to those suffered by users of the infidelity site Ashley Madison after its data was breached.
"Identity theft and extortion are two of the main consequences for the victims whose information was stolen," said Trend Micro's Clay.
Anyone with an email address in the stolen data can expect to receive harassing or threatening emails, as well as click bait offers to "see if your name and password are on the list," KnowBe4's Sjouwerman added.
"Do not go looking for your data," warned Avast's Anscombe.
"Lots of scammers will say they've got it. There will be sites popping up saying 'check to see if you were part of this breach.' Those sites are gathering data," he explained.
"When you type in your email address to see if you were part of the breach -- guess what? -- you just gave a cybercriminal somewhere your email address," he said.
Short Attention Span
Consumers aren't the only ones who suffer from gigantic breaches.
"Data sets of credentials that contain user names, emails, passwords, and answers to secret questions are sold to attackers targeting enterprises," noted Israel Barak, CISO of Cybereason.
"They're looking to take advantage of users that re-use their passwords," he told TechNewsWorld.
"Those users use the same password for the dating site, as well as for their corporate email, corporate VPN, personal email, personal bank account and so forth," Barak said.
"This scenario has been shown to be extremely effective after the LinkedIn breach that led to numerous secondary breaches based on reused passwords," he added. "This will be a very likely outcome of the Adult Finder breach as well."
And what about the damage to Friend Finder? The breach likely will be no more than a near-term setback for Friend Finder, if Ashley Madison is any indicator. Traffic bounced back in a short period of time following its massive hack attack.
However, the impact is "broader than these sites," said Rami Essaid, CEO of Distil Networks.
It affects "how we are as a society in general," he said.
"Target rebounded; Home Depot rebounded," Essaid told TechNewsWorld. "The repercussions of being a victim of a breach are short-lived. We have a very short memory as a society and are not holding people accountable long-term."