Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Businesses Privacy Social Networks

Hack Exposes 412 Million Accounts on AdultFriendFinder Sites (zdnet.com) 78

"Almost every account password was cracked, thanks to the company's poor security practices," reports ZDNet -- even for "deleted" accounts. An anonymous reader quotes their article: The hack includes 339 million accounts from AdultFriendFinder.com, which the company describes as the "world's largest sex and swinger community [and] also includes over 15 million "deleted" accounts that weren't purged from the databases. On top of that, 62 million accounts from Cams.com, and 7 million from Penthouse.com were stolen, as well as a few million from other smaller properties owned by the company. The data accounts for two decades' worth of data from the company's largest sites, according to breach notification LeakedSource, which obtained the data... The three largest site's SQL databases included usernames, email addresses, and the date of the last visit, and passwords, which were either stored in plaintext or scrambled with the SHA-1 hash function, which by modern standards isn't cryptographically as secure as newer algorithms.
The attack apparently coincides with the discovery of "a local file inclusion flaw on the AdultFriendFinder site, which if successfully exploited could allow an attacker to remotely run malicious code on the web server. " Ironically, Friend Finder Networks doesn't even own Penthouse.com anymore. They sold the site to a new owner last February.
This discussion has been archived. No new comments can be posted.

Hack Exposes 412 Million Accounts on AdultFriendFinder Sites

Comments Filter:
  • Oh gee (Score:5, Insightful)

    by buss_error ( 142273 ) on Sunday November 13, 2016 @04:51PM (#53277425) Homepage Journal

    I am so sick and tired of databases not being properly protected. One thing you can do is to monitor outbound traffic. If you suddenly see a huge stream from the DB server to somewhere it doesn't normally go, a banshee cry should come from your monitoring system.

    You can also include "trap" data in the DB and have pattern matching set up (on the system, in the network, on the routers). See the pattern, alarms and cell phones should start ringing.

    • Re:Oh gee (Score:5, Funny)

      by BarbaraHudson ( 3785311 ) <.moc.duolci. .ta. .nosduh.enaj.arabrab.> on Sunday November 13, 2016 @06:26PM (#53277777) Journal
      What is your problem? It's AdultFriendFinder. Someone just found 412 million friends. NOT_A_BUG WORKS_AS_DESCRIBED :-)
    • by doug141 ( 863552 )

      But wouldn't the development costs of a monitoring system come out of this quarter's profits, and therefore this quarter's executive bonuses? What's the executive downside to data loss... still nothing?

      • I once worked at a company that had lost 3.5 million in the previous year to hackers against half a million profit. From day one at that job I had identified the flaw and had been telling anyone who I could that it was serious and we needed to fix it. And constantly was told "We need to focus on new features". And you know what, even after the figures came out I *still* could not convince them to let me fix the security hole because they could claim it all back as "R&D tax credits". I quit the company i

      • by AmiMoJo ( 196126 )

        Executives need to start seeing jail time for stuff like this. If they can't show that they took reasonable steps to prevent it, like getting the system audited externally by an accredited company on a regular basis and enforcing security standards (ISO etc.) they should be held liable.

        You make big bucks off people's private data, you accept the risks.

    • Re:Oh gee (Score:5, Interesting)

      by Dutch Gun ( 899105 ) on Sunday November 13, 2016 @06:47PM (#53277871)

      Yes, but you're arguing "if they were only competent, they could do x and y..." Obviously, they're not competent enough to even properly hash and salt usernames/passwords properly. So, of course they're not going to do anything else sensible, like what you're describing.

    • What a crap IT solution. Don't get me wrong, if I can't get a good solution, a crap IT solution will have to do.

      IT people seem to think that something like this is called "proper protection". It's not. A less crap IT solution would be to place a firewall in between the web server and the SQL server and enforce specific queries.

      A slightly better solution would be to limit all database access to specific stored procedures. This would destroy business agility because it would require the programmers to stop us
    • It's an interesting consumer lesson. You can sign up with a fake name and email and you can even delete your account, but the moment you supply your real name to run your credit card there is exposure. Until the simple theft of personal information carries liability for the company holding the data, not just liability for the provable harm, nothing will change. Until then we'll all just keep getting free credit monitoring, as if that solves everything.

  • by Anonymous Coward

    1. Sign up for sites like these using your enemies' information.

    2. Wait for said sites to get hacked (because they inevitably will), spewing your enemies information across the Interwebs and filling their lives with unexpected shame and scandal.

    3.Profit!

  • by nospam007 ( 722110 ) * on Sunday November 13, 2016 @05:10PM (#53277513)

    I guess, some divorce-lawyer's wet dream just came true.

    • by arth1 ( 260657 )

      FTFA: "LeakedSource said breaking with usual tradition because of the kind of breach, it will not make the data searchable."

      In other words, they found themselves there. Now if someone could hack LeakedSource, it would be interesting...

      Anyhow, 412 million seems like a rather high number. That's about 50% of the adult population of USA and Europe combined!

  • by JustAnotherOldGuy ( 4145623 ) on Sunday November 13, 2016 @05:15PM (#53277531) Journal

    339 million accounts, but 338.8 million were fake accounts with pictures of large-breasted women who were eager to have sex with me. And they all live "near" me, even though I live on the International Space Station in low-Earth orbit.

    • by Anonymous Coward

      I live in England, but apparently dozens of Eastern European porn stars live within a mile of me.

      And (it gets better) they're all gagging for cock, not just any cock, but mine!

    • by Anonymous Coward

      if you're on the ISS, that puts you within about 250 miles of most of the planet's women each day, just not for very long...

      • by Anonymous Coward

        In space, no one can hear you FAPFAPFAPFAPFAP.

        • I'm sure everyone on the station and NASA would know...

          There's that rapid oscillation from ACs living quarters... AGAIN

          Let's just wait and see if it stops in 3 minutes, it usually does.

          Prepare for masturbatory post ejaculation altitude connection maneuver in... 5...4...3...2...1...

    • by Anonymous Coward

      Three. One even became my girlfriend for two years. So there are real women on there.

  • Comment removed based on user account deletion
  • by geekpowa ( 916089 ) on Sunday November 13, 2016 @05:26PM (#53277581)
    Surely SHA-1 is perfectly fine as long as you salt it sensibly? The only way you can materially improve on SHA-1 is to use a hashing algorithm that is computationally expensive.
    • Yes. While SHA-1 has seen successful collision attacks (attackers can find two messages that generate the same hash), practical preimage attacks (attacker finds a message that generates either a specified hash value or the same hash value as a specified message) are not currently known. I would guess that these passwords effectively did not use salts.

    • by raymorris ( 2726007 ) on Sunday November 13, 2016 @06:07PM (#53277721) Journal

      There are no known SHA-1 collisions. Essentially, it's never been fully hacked. As you mentioned any hash must be salted for password use, and salted SHA-1 would be fine for most any public web site.

      However, a partial crack of SHA-1 exists. The NSA or the Chinese government might well be able to crack it.

      SHA-2 is recommended for all new hashes. For example, new TLS (SSL) certificates are signed with SHA-2, not SHA-1. In 2017, major browsers may stop accepting TLS certificates signed with SHA-1.

      Upgrading can be easy if you used the crypt() system call, or a higher-level function that calls crypt() underneath. That includes MySQL encrypt(), Perl crypt(), etc. If you do, just change the salt you use for the initial hashing - the password CHECKING code remains unchanged.

    • by AmiMoJo ( 196126 )

      Indeed, the real problem is that passwords are a terrible way of securing stuff. Human memory is too easy to predict and model, which is why even "good" passwords consisting of multiple words and numbers are relatively easy to crack these days, even with slated SHA-1 protecting them.

      Didn't Google say they were working on something better than passwords? We need it sooner rather than later. Hard to imagine what form it will take though. Biometrics are obviously stupid, and it needs to be convenient and secur

  • Almost another half billion accounts of people spread to the four winds because of how much better private industry is than government.

    When you add up all the hacks private industry has allowed because of their incompetence one can easily count 2 billion people, many no doubt duplicates, having their personal information compromised.

    But excuses will be made about how great private industry is, how it's not really the programmer's fault or the database administrator's fault or the web designer's fault. Nope

    • by OzPeter ( 195038 )

      Almost another half billion accounts of people spread to the four winds because of how much better private industry is than government.

      That's why government regulation of private industry is bad /s

    • You realize all the military private info was hacked not long ago? Look up the OPM breach. Private industry security isn't consistently better/worse than government.
  • You'd think one could trust these amoral website companies to keep everything secure from "the man" --- but noooo!

    I'm running out of passwords. Password1, Password2, Password123456, now i'll just hold down the 99999999 key.

  • Need to search that data for the name "Melania"

In order to dial out, it is necessary to broaden one's dimension.

Working...