Hack Exposes 412 Million Accounts on AdultFriendFinder Sites (zdnet.com) 78
"Almost every account password was cracked, thanks to the company's poor security practices," reports ZDNet -- even for "deleted" accounts. An anonymous reader quotes their article:
The hack includes 339 million accounts from AdultFriendFinder.com, which the company describes as the "world's largest sex and swinger community [and] also includes over 15 million "deleted" accounts that weren't purged from the databases. On top of that, 62 million accounts from Cams.com, and 7 million from Penthouse.com were stolen, as well as a few million from other smaller properties owned by the company. The data accounts for two decades' worth of data from the company's largest sites, according to breach notification LeakedSource, which obtained the data... The three largest site's SQL databases included usernames, email addresses, and the date of the last visit, and passwords, which were either stored in plaintext or scrambled with the SHA-1 hash function, which by modern standards isn't cryptographically as secure as newer algorithms.
The attack apparently coincides with the discovery of "a local file inclusion flaw on the AdultFriendFinder site, which if successfully exploited could allow an attacker to remotely run malicious code on the web server. " Ironically, Friend Finder Networks doesn't even own Penthouse.com anymore. They sold the site to a new owner last February.
The attack apparently coincides with the discovery of "a local file inclusion flaw on the AdultFriendFinder site, which if successfully exploited could allow an attacker to remotely run malicious code on the web server. " Ironically, Friend Finder Networks doesn't even own Penthouse.com anymore. They sold the site to a new owner last February.
Re: (Score:1)
Re: pleaaaaaseeee... (Score:1)
Hehe looks like all it took was a c bomb in the title to get the editors to finally do the jobs.
Oh gee (Score:5, Insightful)
I am so sick and tired of databases not being properly protected. One thing you can do is to monitor outbound traffic. If you suddenly see a huge stream from the DB server to somewhere it doesn't normally go, a banshee cry should come from your monitoring system.
You can also include "trap" data in the DB and have pattern matching set up (on the system, in the network, on the routers). See the pattern, alarms and cell phones should start ringing.
Re:Oh gee (Score:5, Funny)
Re: (Score:2)
Like Ashley Madison, I bet 99% of the users are male, and 90% of the women are fake accounts.
Re: (Score:3)
But wouldn't the development costs of a monitoring system come out of this quarter's profits, and therefore this quarter's executive bonuses? What's the executive downside to data loss... still nothing?
Re: (Score:3)
I once worked at a company that had lost 3.5 million in the previous year to hackers against half a million profit. From day one at that job I had identified the flaw and had been telling anyone who I could that it was serious and we needed to fix it. And constantly was told "We need to focus on new features". And you know what, even after the figures came out I *still* could not convince them to let me fix the security hole because they could claim it all back as "R&D tax credits". I quit the company i
Re: (Score:2)
Executives need to start seeing jail time for stuff like this. If they can't show that they took reasonable steps to prevent it, like getting the system audited externally by an accredited company on a regular basis and enforcing security standards (ISO etc.) they should be held liable.
You make big bucks off people's private data, you accept the risks.
Re:Oh gee (Score:5, Interesting)
Yes, but you're arguing "if they were only competent, they could do x and y..." Obviously, they're not competent enough to even properly hash and salt usernames/passwords properly. So, of course they're not going to do anything else sensible, like what you're describing.
Re: Oh gee (Score:2)
IT people seem to think that something like this is called "proper protection". It's not. A less crap IT solution would be to place a firewall in between the web server and the SQL server and enforce specific queries.
A slightly better solution would be to limit all database access to specific stored procedures. This would destroy business agility because it would require the programmers to stop us
Re: (Score:1)
It's an interesting consumer lesson. You can sign up with a fake name and email and you can even delete your account, but the moment you supply your real name to run your credit card there is exposure. Until the simple theft of personal information carries liability for the company holding the data, not just liability for the provable harm, nothing will change. Until then we'll all just keep getting free credit monitoring, as if that solves everything.
A Brilliant Plan: (Score:1)
1. Sign up for sites like these using your enemies' information.
2. Wait for said sites to get hacked (because they inevitably will), spewing your enemies information across the Interwebs and filling their lives with unexpected shame and scandal.
3.Profit!
Re: (Score:2)
Re:Don't worry (Score:5, Funny)
SHA has the best rounds, believe me. bcrypt and scrypt are so slow, they are all computation and no results.
Re: (Score:1)
How long until we find Carlos Danger (Anthony Wiener) or Diane Reynolds (Chelsea Clinton) in the dumps?
That said, if you find one listed as "Evergreen" I'd advise that you run and don't turn back.
That's Hillary, if you didn't know.
Re: (Score:1)
As funny as that would be, trump doesn't use computers or the internet. He doesn't even use email. He hand writes everything.
Yes, he's that old school.
In any case, he has no need for adult hooking up sites. He can pretty much walk up to any hot chick and just grab her by the pussy.
Re: (Score:1)
They'll brag about his conquests while they vote for his reelection.
Go figure.
Re: (Score:1)
And yet somehow Trump's predicted, presumed philandering be fine with the Conservitards. Peachy keen in fact. They'll brag about his conquests while they vote for his reelection. Go figure.
Maybe it's because he wasn't a hypocrite liar trying to hide it like the Clintons?
Me, I would have voted for Hitler before voting for Hillary. At least Hitler did something good - he killed Hitler. Mayby the Clintons can learn something from him :-)
(it's a joke, stupid libtard lizard people. Go riot somewhere or smash a few windows. Hopefully you'll be arrested and committed to Bellevue because there's something wrong with people who lose an election and then lose their shit)
Re: (Score:2, Insightful)
It is really funny that you should mention that. Many people who lived through the Hitler years say that Trump strongly reminds them of Hitler.
So in a way, you really did vote for Hitler this time around.
Re: (Score:1)
(it's a joke, stupid libtard lizard people. Go riot somewhere or smash a few windows. Hopefully you'll be arrested and committed to Bellevue because there's something wrong with people who lose an election and then lose their shit)
You mean like you were planning on doing if Trump had lost?
Re: (Score:2)
Re: (Score:2)
I am a Trump protester. I want him to clearly reject his "deplorable" base.
I'd also love for him to say he knows his campaign was too divisive and has made it impossible for all American's to accept his leadership; so he is committed to a single term, which will ensure he can clean up Washington without being beholden to anyone.
Re: (Score:2)
Barbera, aren't you a Canadian transgender?
Last time I looked, since my birth cert didn't always say female, so I guess so :-)
Clearly the whole transgender hate thing can be fixed by the individual states issuing properly corrected birth certificates. There is NO way that federal legislation can do that, nor offer the same protections. All those stupid bathroom bills disappear when you have a new (not amended) birth certificate with your new sex.
We've had laws in this province protecting us from discrimination based on sex, which has been interpre
Congrats (Score:3)
I guess, some divorce-lawyer's wet dream just came true.
Re: (Score:2)
FTFA: "LeakedSource said breaking with usual tradition because of the kind of breach, it will not make the data searchable."
In other words, they found themselves there. Now if someone could hack LeakedSource, it would be interesting...
Anyhow, 412 million seems like a rather high number. That's about 50% of the adult population of USA and Europe combined!
More than the population of the US (Score:5, Funny)
339 million accounts, but 338.8 million were fake accounts with pictures of large-breasted women who were eager to have sex with me. And they all live "near" me, even though I live on the International Space Station in low-Earth orbit.
Re: More than the population of the US (Score:1)
I live in England, but apparently dozens of Eastern European porn stars live within a mile of me.
And (it gets better) they're all gagging for cock, not just any cock, but mine!
Re: (Score:1)
if you're on the ISS, that puts you within about 250 miles of most of the planet's women each day, just not for very long...
Re: More than the population of the US (Score:1)
In space, no one can hear you FAPFAPFAPFAPFAP.
Re: (Score:3)
I'm sure everyone on the station and NASA would know...
There's that rapid oscillation from ACs living quarters... AGAIN
Let's just wait and see if it stops in 3 minutes, it usually does.
Prepare for masturbatory post ejaculation altitude connection maneuver in... 5...4...3...2...1...
Amount of women I fucked from AFF. (Score:3, Informative)
Three. One even became my girlfriend for two years. So there are real women on there.
Re: (Score:2)
Re: (Score:2)
You're probably thinking of Ashley Madison.
Re: (Score:2)
I see. Thanks for the information. So should we start a pool on how long it'll be before they get hacked again? ;-)
SHA-1 hash function, which by modern standards.... (Score:3)
Re: SHA-1 hash function, which by modern standards (Score:2)
Yes. While SHA-1 has seen successful collision attacks (attackers can find two messages that generate the same hash), practical preimage attacks (attacker finds a message that generates either a specified hash value or the same hash value as a specified message) are not currently known. I would guess that these passwords effectively did not use salts.
Re: (Score:2)
There aren't even preimage attacks known for MD5.
Never hacked, not recommended. SHA-2 better (Score:5, Informative)
There are no known SHA-1 collisions. Essentially, it's never been fully hacked. As you mentioned any hash must be salted for password use, and salted SHA-1 would be fine for most any public web site.
However, a partial crack of SHA-1 exists. The NSA or the Chinese government might well be able to crack it.
SHA-2 is recommended for all new hashes. For example, new TLS (SSL) certificates are signed with SHA-2, not SHA-1. In 2017, major browsers may stop accepting TLS certificates signed with SHA-1.
Upgrading can be easy if you used the crypt() system call, or a higher-level function that calls crypt() underneath. That includes MySQL encrypt(), Perl crypt(), etc. If you do, just change the salt you use for the initial hashing - the password CHECKING code remains unchanged.
Re: (Score:2)
Indeed, the real problem is that passwords are a terrible way of securing stuff. Human memory is too easy to predict and model, which is why even "good" passwords consisting of multiple words and numbers are relatively easy to crack these days, even with slated SHA-1 protecting them.
Didn't Google say they were working on something better than passwords? We need it sooner rather than later. Hard to imagine what form it will take though. Biometrics are obviously stupid, and it needs to be convenient and secur
Chalk up another one for private industry (Score:2, Interesting)
Almost another half billion accounts of people spread to the four winds because of how much better private industry is than government.
When you add up all the hacks private industry has allowed because of their incompetence one can easily count 2 billion people, many no doubt duplicates, having their personal information compromised.
But excuses will be made about how great private industry is, how it's not really the programmer's fault or the database administrator's fault or the web designer's fault. Nope
Re: (Score:2)
Almost another half billion accounts of people spread to the four winds because of how much better private industry is than government.
That's why government regulation of private industry is bad /s
Re: (Score:3)
Re: (Score:1)
I was, both on the "vanilla" AdultFriendFinder.com and the more explicit Alt.com.
It was very fake-ridden, but the fakes were easy to spot, even in the old times without Google image search. Sometimes it got weird when a silver or gold (i.e. paying) account popped up that contained picture material well-known from your favorite porn picture aggregator, so I assume some of these were indeed set up by the Friendfinder Network themselves as I can't imagine that people would set up paid-for fakes.
All in all, we
oh darn - changing my password AGAIN! (Score:2)
You'd think one could trust these amoral website companies to keep everything secure from "the man" --- but noooo!
I'm running out of passwords. Password1, Password2, Password123456, now i'll just hold down the 99999999 key.
I wonder... (Score:1)