The 412 million user password and history hack of Friend Finder Network, known as the world’s largest online sex and swinger community, will be a boon for extortionists, since it involves potential blackmail of 11 times the number of users in the notorious Ashley Madison hack.
For the second time in the last two years, Friend Finder Network Inc. — which operates “18+ services” accounts involving 339 million AdultFriendFinder users, 62 million Cams.com “sex chat” accounts, over 7 million Penthouse.com subscriptions, 1.4 million Stripshow.com members, 1.1 million iCams.com viewers, and some smaller sites — suffered the largest hack in history. Stolen data included 20 years of all the sites’ user histories, account logins, and credit card authorization data.
The hack on July 15, 2015 of 37.6 million Ashley Madison users’ emails, names, home addresses, sexual fantasies and credit card information was an extortion plot by hackers demanding the site’s Canadian sponsor Avid Life Media be shut down immediately for encouraging people to have affairs.
Ashley Madison notified customers they could have their history removed for a fee of $19, but Avid refused to close. All the hacked data was released on August 18, including histories involving 10 million American men — representing about 1 in every 6 married men in the U.S.
According to the company, the October Friend Finder hack was discovered after the hackers started making “extortion attempts” on users. This form of blackmail usually involves a $99 charge that must be paid by money transfer services like Western Union to have a shameful page removed.
According to the highly respected underground cyber-security researcher operating on Twitter under the handle “1×0123,” the massive hack was due to a blatant “File Inclusion vulnerability” on AdultFriendFinder. This weakness allowed hackers to aggregate files located across the server “cloud,” and involving other partners to be downloaded in a single application. He added that the hacked database “schema” allegedly revealed ninety databases covering names, internal IP details, six-character passwords, chat, billing, member lists, messages, photos, real names, and videos.
One of 1×0123’s sources is a mysterious Russian group called #LeakedSource, which posted on Twitter that the extortion hack involves a record “412,214,295 users” and over 125 million of “plain text passwords stolen.” LeakedSource added:
“After much internal deliberation by the LeakedSource team and for various reasons, we have decided that this data set will not be searchable by the general public on our main page temporarily for the time being” (original emphasis).
In a short statement emailed November 9, Friend Finder Network’s Vice President and Senior Counsel of Corporate Compliance & Litigation Diana Lynn Ballou tried to minimize the depth of the hack by stating: “We are aware of reports of a security incident, and we are currently investigating to determine the validity of the reports. If we confirm that a security incident did occur, we will work to address any issues and notify any customers that may be affected.”