In May 2015, AdultFriendFinder.com owned by Friend Finder network Inc. suffered a very embarrassing breach of 3.5 million user accounts, which was very damaging for the users as the breached and sold data included details on sexual preferences and more. The thing is that this breach was very bad for the users affected, but it turns out that the breach back in 2015 only affected a small fraction of
Now AdultFriendFinder.com has been breached again. This time the breach looks like a complete breach of all companies associated with or previously associated with Friend Finder Network Inc., up to and including probably every single deleted account. In the dumped database rows were found with the string format @deleted.com appended to email addresses – indicating that instead of deleting rows, rows were edited to add this string to show “deletion”. Since this string isn’t valid for sign-up, the explanation is very likely to be true.
- 339,774,493 users
- “World’s largest sex & swinger community”
- 62,668,630 users
- “Where adults meet models for sex chat live through webcams”
- 7,176,877 users
- Adult magazine akin to Playboy
- 1,135,731 users
- “Free Live Sex Cams”
- Unknown domain
- 35,372 users
Total: 412,214,295 affected users
Has security practices changed between the two breaches?
2015 breach: I cannot find any documentation of how the passwords were stored. HaveIbeenPwned seems to report data at odds with itself – in the google search it says “In May 2015, the adult hookup site Adult Friend Finder was hacked and nearly … The passwords were stored as MD5 hashes with no salt and many were easily …” but once you click on the link and goto adultfriendfinder, it does not say that passwords were leaked at all.
Tomguide.com says: “— even though passwords were not among the stolen data.” Passwords were apparently either not leaked or not exfiltrated at all by the criminals.
Passwords leaked. They were stored horribly insecure – plaintext or almost-plaintext (see above in the list from leakedsource). Full breach it seems. It is pretty safe to assume that they have not made their password storage more insecure since the first breach, so I think we can conclude that for password storage it does not seem they learned anything.
Storing confidential details of users:
Since no highly confidential data were leaked, it is possible that they have implemented a way to store the highly confidential data separately.
The second breach seems to have happened from a local file inclusion vulnerability. They have no bug bounty and no coordinated disclosure policy that I can find. It seems highly doubtful that they have improved much on their Application Security practices, but it’s hard to tell for sure.
Reflecting on the breach
It is a big breach. It does probably mean that some folks will get caught out having been looking for sex partners online, and to some this may mean personal consequences. But in a year of massive breaches and where almost everyone has had these details breached already, what is the big effect on society, on individuals and what should the effect be on Friend Finder Network Inc.? Am I starting to suffer from breach fatigue? I cannot seem to think this is such a huge catastrophe right now. Am I wrong?