"Their [Friend Finder Networks'] infrastructure is two decades old and slightly confusing." Many of the passwords were simply in plaintext, Leaked Source writes in a blog post.Others had been hashed, the process by which a plaintext password is processed by an algorithm to generate a cryptographic representation, which is safer to store.But the company fixed a code injection flaw that could have enabled access to source code, Friend Finder Networks told the publication.It wasn't clear if the company was referring to the local file inclusion flaw.A group that collects stolen data claims to have obtained 412 million accounts belonging to Friend Finder Networks, the California-based company that runs thousands of adult-themed sites in what it described as a "thriving sex community." See Also: Webinar | Beyond Managed Security Services: SOC-as-a-Service for Financial Institutions Leaked Source.com, a service that obtains data leaks through shady underground circles, believes the data is legitimate.
It appears that Friend Finder Networks changed some of the plaintext passwords to all lower-case letters before hashing, which meant that Leaked Source was able to crack them faster.Breach notification site first reported the attack, indicating that over 300 million Adult Friend Finder accounts were affected, as well as over 60 million accounts from Other company holdings, such as Penthouse, Stripshow, and i Cams were also breached, for a total of 412,214,295 affected users.Troy Hunt, an Australian data breach expert who runs the Have I Been Pwned data breach notification site, says that at first glance some of the data appears legitimate, but it's still early to make a call. "I'd need to see a complete data set to make an emphatic call on it." If the data is accurate, it would mark one of the largest data breaches of the year behind Yahoo, which in October blamed state-sponsored hackers for compromising at least 500 million accounts in late 2014 (see Massive Yahoo Data Breach Shatters Records).It also would be the second one to affect Friend Finder Networks in as many years.Adult dating service company Friend Finder Network has reportedly been hacked, with over 412 million accounts, email addresses, and passwords from their websites made available on criminal marketplaces.Notably, the database does not include more detailed personal information, but could still be used to confirm whether a person was a user of the service.CSOonline reported that the person posted a redacted image of a server and a database schema generated on Sept. In a statement supplied to ZDNet, Friend Finder Networks confirmed that it had received reports of potential security problems and undertook a review.Some of the claims were actually extortion attempts.The hack also revealed that the company had kept information on 15 million accounts that users had deleted, as well as information on users for assets it no longer owned, such as Penthouse.By comparison, the Ashley Madison hack that took place in July 2015 revealed 32 million accounts, although that attack was also accompanied by a more aggressive extortion campaign.