• BURN MEDIA
    • Motorburn
      Because cars are gadgets
    • Gearburn
      Incisive reviews for the gadget obsessed
    • Ventureburn
      Startup news for emerging markets
    • Jobsburn
      Digital industry jobs for the anti 9 to 5!

FriendFinder Networks: 412m accounts hacked in 2016’s biggest breach

Another adult dating company has been hacked, but this time it’s FriendFinder.

According to breach notification portal LeakedSource, details of around 412-million accounts have made their way into the darkest parts of the web. Notably, the sites affected include AdultFriendFinder (with around 300-million accounts), Cams.com (with another 60-million), and other accounts from the likes of Penthouse and Stripshow.

In total, a quite ridiculous 412 214 295 accounts have been compromised, making this the biggest hack of the year so far.

Warning signs

Notably, warning signs of a possible breach emerged in October 2016 from an anonymous security researcher. FriendFinder Network’s VP noted that the company was “aware of reports of a security incident” and were “investigating to determine the validity of the reports”.

This also isn’t the first big hack in FriendFinder Network’s tenure. Back in May 2015, the company found that 3.9-million users suffered from compromised accounts.

The biggest breach of 2016

This hack is much, much larger though.

LeakedSource claims that this is the largest hack it has ever seen, as FriendFinder Network’s 400-million strong accounts represent “20 years of customer data”.

But it seems that the company wasn’t exactly hell-bent on ensuring these details were kept safe. LeakedSource explains:

Passwords were stored by Friend Finder Network either in plain visible format or SHA1 hashed (peppered). Neither method is considered secure by any stretch of the imagination and furthermore, the hashed passwords seem to have been changed to all lowercase before storage which made them far easier to attack but means the credentials will be slightly less useful for malicious hackers to abuse in the real world.

That suggests that FriendFinder Networks didn’t feel the need to encrypt or scramble customers’ passwords using more trusted security methods, instead storing them in plainly visible text.

LeakedSource also found evidence that the company was storing deleted users’ credentials — around 15.7-million users, in fact.

123456789

As for some of the most common passwords, the typical likes of 123456, 12345, 123456789, and 12345678 featured nearly three million times. In fact, the top six most commonly used password combinations included a variant of this format.

“Password” came in as the seventh most popular password.

FriendFinder’s hack is easily the biggest of 2016, sporting 412-million passwords and email address combinations

As for mailing addresses, it seems that most users have a Hotmail domain (96-million), followed by Yahoo, Gmail and AOL (a combined 145-million). LeakedSource explains that this is largely due to FriendFinder Network’s age — the company was birthed in the same year as Google’s Gmail.

The .gov domain was found more than 5000 times too.

So what now?

FriendFinder’s VP and senior counsel Diana Ballou noted that the company did receive “a number of reports” regarding possible security issues in the weeks prior to the breach.

“FriendFinder takes the security of its customer information seriously and will provide further updates as our investigation continues,” she continues, in an emailed statement to ZDNet.

It’s unknown how many South Africans are affected by the leaked credentials.

Author | Andy Walker: Editor

Andy Walker: Editor
Camper by day, run-and-gunner by night, Andy prefers his toast like his coffee -- dark and crunchy. Specialising in spotting the next big Instagram cat star, Andy also dabbles in smartphone and game reviews over on Gearburn. More

More in Security

Opera: OLX, Letgo tracks you more than Takealot, Gumtree

Read More »