Friend Finder Hack of 412 Million Users Is Boon for Extortionists

A pornography site optimized for iPad is seen on an iPad at the Pink Visual booth at the AVN Adult Entertainment ExpoJanuary 9, 2011 in Las Vegas, Nevada. Porn fans are being enticed with cyber sex and virtual affairs as the adult entertainment industry adapts to survive in the Internet …

The 412 million user password and history hack of Friend Finder Network, known as the world’s largest online sex and swinger community, will be a boon for extortionists, since it involves potential blackmail of 11 times the number of users in the notorious Ashley Madison hack.

For the second time in the last two years, Friend Finder Network Inc. — which operates “18+ services” accounts involving 339 million AdultFriendFinder users, 62 million “sex chat” accounts, over 7 million subscriptions, 1.4 million members, 1.1 million viewers, and some smaller sites — suffered the largest hack in history. Stolen data included 20 years of all the sites’ user histories, account logins, and credit card authorization data.

The hack on July 15, 2015 of 37.6 million Ashley Madison users’ emails, names, home addresses, sexual fantasies and credit card information was an extortion plot by hackers demanding the site’s Canadian sponsor Avid Life Media be shut down immediately for encouraging people to have affairs.

Ashley Madison notified customers they could have their history removed for a fee of $19, but Avid refused to close. All the hacked data was released on August 18, including histories involving 10 million American men — representing about 1 in every 6 married men in the U.S.

According to the company, the October Friend Finder hack was discovered after the hackers started making “extortion attempts” on users. This form of blackmail usually involves a $99 charge that must be paid by money transfer services like Western Union to have a shameful page removed.

According to the highly respected underground cyber-security researcher operating on Twitter under the handle “1×0123,” the massive hack was due to a blatant “File Inclusion vulnerability” on AdultFriendFinder. This weakness allowed hackers to aggregate files located across the server “cloud,” and involving other partners to be downloaded in a single application. He added that the hacked database “schema” allegedly revealed ninety databases covering names, internal IP details, six-character passwords, chat, billing, member lists, messages, photos, real names, and videos.

One of 1×0123’s sources is a mysterious Russian group called #LeakedSource, which posted on Twitter that the extortion hack involves a record “412,214,295 users” and over 125 million of “plain text passwords stolen.” LeakedSource added:

“After much internal deliberation by the LeakedSource team and for various reasons, we have decided that this data set will not be searchable by the general public on our main page temporarily for the time being” (original emphasis).

In a short statement emailed November 9, Friend Finder Network’s Vice President and Senior Counsel of Corporate Compliance & Litigation Diana Lynn Ballou tried to minimize the depth of the hack by stating: “We are aware of reports of a security incident, and we are currently investigating to determine the validity of the reports.  If we confirm that a security incident did occur, we will work to address any issues and notify any customers that may be affected.”


Please let us know if you're having issues with commenting.