The incident itself is likely to have occurred before October 20, 2016 with the last login timestamps for user accounts occur on October 17.
As the publication reports, one researcher identified the LFI flaw and warned Adult Friend Finder about the vulnerability.
Furthermore, Leaked Source was able to determine that a notable number of users had an email in the form of ‘[email protected]@deleted1.com’, a clear indicator that the user associated with the account sought to delete the account, while Adult Friend Finder tagged these to-be-deleted accounts with “@” A mammoth 16,766,727 so-called deleted accounts were discovered in total. The websites that have been targeted, along with the number of compromised user accounts.
Altogether, that’s over a staggering 400 million user accounts or 20 years of customer data leaked during the breach, making it the largest recorded breach this year, firmly scaling the My Space breach which saw 360 million compromised user accounts.
Alarmingly, 99% of all available passwords gathered from the breach, are visible in plaintext.
CSOOnline reveals that information from the breached databases was circulating online since their compromise in October 2016.
More specifically, the LFI was discovered in a module on Adult Friend Finder’s production servers.
“While a number of these claims proved to be false extortion attempts, we did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability,” ZDNet quoted from an email by CEO Diana Ballou.
Passwords were also included in the trove -- the vast majority of them featured unsecured protections or none at all, the report said.
Leaked Source said the alleged breach includes nearly 340 million accounts from flagship site Adult Friend Finder, plus data from other sites owned by Friend Finder Network, including Cams.com, as well as records from Penthouse.com, which was sold in February.
Like all sectors -- government, retail, finance and healthcare -- the adult and porn businesses are feeling the consequences of not making security a priority, in the worst possible ways. Take for example this week's breach-bloodbath, in which Friend Finder Networks (FFN) lost their Sourcefire code to criminal hackers and put their users in serious risk.
Combined with Ashley Madison's many deceits, FFN also contributed to the deepening public mistrust about the very sensitive data exchange between adult companies and their consumers.