FriendFinder Networks, the parent company of sites including AdultFriendFinder, Cams.com, Penthouse and Stripshow has reportedly been hacked, exposing details of 412 million accounts.
According to leakedsource.com 99% of all available passwords are now visible in plaintext.
Reports suggest the network was hacked via a local file inclusion (LFI) exploit.
This was revealed by a researcher called 1×0123 on Twitter, who is known for exposing application flaws.
He posted screenshots showing LFI vulnerabilities on Adult Friend Finder.
The images show a LFI being triggered. When asked directly,1×0123 confirmed LFI as the vulnerability being exploited, and said it was discovered in a module on the production servers used by Adult Friend Finder.
LFI vulnerabilities allow an attacker to include files located elsewhere on the server into the output of a given application.
This incident marks the second time in just over a year that the ‘dating’ network has had security problems.
Justine Cross, regional director at Watchful Software, commented on the latest data breach to make headlines: “The public has long since run out of patience for companies that fail to protect their data, and the Friend Finder Networks is just the latest example proving that businesses must take a new stance to keep information in their care safe.”
“It is no longer enough to focus on passwords and financial data – any level of breach can cause significant distress or financial harm to the affected customers.”
“Stolen email addresses will leave the victims vulnerable to phishing attacks and fraud across other sites using the address, while names and other details can be used as a source of embarrassment or blackmail.”
Securing your online presence
“We’re never out of danger from a data breach of our personal information and passwords,” said Ryan O’Leary, VP threat research centre at WhiteHat Security.
“As users, we need to take precautions against this. If your password for each website is unique, good job, you’re one of the few people that use a different password for each service they log into.”
“It is essential that we as a user community practice stricter personal security to mitigate the impact of data breaches that will, inevitably, occur.”
Here are some simple tips for securing yourself online:
1. Don’t use the same password for all sites. If one site were to be breached all your accounts are effectively breached.
At the very least, use a variety of passwords to minimise the impact of a breach.
2. Turn on two factor authentication for any app that supports it.
Yes it’s a pain! But it’s also one of the best ways to protect your accounts.
3. Only login to sites that use SSL, you’ll know this by checking if there is a ‘https://’ before the rest of the URL.
4. Don’t click on any links or attachments in instant messages or emails. As tempting as they might look, you really are rolling the dice with your personal security.