The site Adult Friend Finder, the “world’s largest sex and swingers site” recently exposed 412 million user credentials due to poor, or in some cases, non-existent password hashing practices. The biggest group losses were:
- 339 million users of AdultFriendFinder.com
- 62 million users of webcam site cams.com
- 7.1 million users of Penthouse.com
- 1.4 million users of stripshow.com
As we discussed last week, the reason that the Yahoo breach went unreported is that Yahoo had employed some pretty impressive password hashing, salting, and stretching processes that made the likelihood of the password to be broken to be pretty close to zero. This was why Yahoo chose not to report the breach.
Unfortunately Adult Friend Finder stored some passwords in plaintext, and the bulk of the rest was hashed using a weak SHA-1 standard, which has been shown is easy to break. This included several million accounts that had been closed, but the credentials had not been deleted for some reason. If you had an account with them over the last 20 years, consider yourself exposed. Hacks like this usually lead to extortion attempts, or the humiliation of public posting, such as in the recent Ashley Madison breach.