FriendFinder Networks has allegedly been breached, with the details of over 412m users hacked in one of the largest data breaches ever, according to a new report by Leaked Source.
Calling it the largest hack of 2016, the security monitoring site said the breach took place in October 2016.
The total number of affected users and hacked accounts totals 412m according to Leaked Source, and includes email addresses, passwords, browser information, IP addresses and site membership statuses.
The majority of these accounts apparently came from Adultfriendfinder.com – over 339m – the rest coming from other FriendFinder properties such as Cams.com (62m), Penthouse.com (7.2m), Stripshow (1.4m) and iCams (1.1m), as well as 35,372 compromised records from an “unknown domain”.
The data is also said to include over 15m email addresses ending with “@deleted”, which according to LeakedSource could be from “users who tried to delete their account”.
Among the account details were over 78,000 US military email addresses ending .mil and 5,650 US government email addresses ending .gov.
The breach notification site said the details were hacked via a Local File Inclusion exploit that was first reported back in October.
At the time, a hacker called Revolver — username 1×0123 on Twitter — posted a series of tweets directed at AdultFriendFinder, saying he had accessed a “fuckload of databases”, and was “reporting a #Vulnerability in your site!”
The user also posted screenshots, apparently proving they had access to some of the website’s infrastructure.
Regarding the latest disclosure, FriendFinder Networks VP and senior counsel Diana Ballou told ZDNet in a statement: “FriendFinder has received a number of reports regarding potential security vulnerabilities from a variety of sources.
“Immediately upon learning this information, we took several steps to review the situation and bring in the right external partners to support our investigation.
“While a number of these claims proved to be false extortion attempts, we did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability.
“FriendFinder takes the security of its customer information seriously and will provide further updates as our investigation continues.”
Unlike other breaches it has reported, Leaked Source said it will not be making the database searchable for the general public.
Speaking about the alleged hack, Leaked Source said: “Passwords were stored by FriendFinder Network either in plain visible format or SHA1 hashed (peppered).
“Neither method is considered secure by any stretch of the imagination and furthermore, the hashed passwords seem to have been changed to all lowercase before storage which made them far easier to attack but means the credentials will be slightly less useful for malicious hackers to abuse in the real world.”
Last May, it was revealed that the private details of over 4m users of AdultFriendFinder had been hacked and posted on the deep web.
The news was broken by a Channel 4 News investigation, which found the hacked information included the sexual preferences of users, email addresses, usernames, DOBs, post codes and user ISPs.
This latest alleged breach would be on a completely different scale in terms of users, topping the mammoth MySpace 2013 hack where 359m users were exposed, or last year’s Ashley Madison hack of 36m.