The site Adult Friend Finder, the “world’s largest sex and swingers site” recently exposed 412 million user credentials due to poor, or in some cases, non-existent password hashing practices. The biggest group losses were:
- 339 million users of AdultFriendFinder.com
- 62 million users of webcam site cams.com
- 7.1 million users of Penthouse.com
- 1.4 million users of stripshow.com
As we discussed last week, the reason that the Yahoo breach went unreported is that Yahoo had employed some pretty impressive password hashing, salting, and stretching processes that made the likelihood of the password to be broken to be pretty close to zero. This was why Yahoo chose not to report the breach.
Unfortunately Adult Friend Finder stored some passwords in plaintext, and the bulk of the rest was hashed using a weak SHA-1 standard, which has been shown is easy to break. This included several million accounts that had been closed, but the credentials had not been deleted for some reason. If you had an account with them over the last 20 years, consider yourself exposed. Hacks like this usually lead to extortion attempts, or the humiliation of public posting, such as in the recent Ashley Madison breach.
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com