FriendFinder networks may have been hit again
A group that collects stolen data claims to have secured 412 million accounts belonging to FriendFinder Networks, the California-based company that operates thousands of adult-themed sites in what it has described as a “thriving sex community.”
LeakedSource.com, a service that obtains data leaks through shady underground circles, believes the data is legitimate. FriendFinder Networks, stung last year when its AdultFriendFinder website was hacked, could not immediately be reached to respond (see Dating Site Breach Reveals Secrets).
Troy Hunt, an Australian data breach expert who heads the Have i been condemned data breach notification site, says that at first glance some data looks legitimate, but it’s still early to make a call.
“It’s a mixed bag,” he says. “I would need to see a full dataset to make a strong appeal on it.”
If the data is correct, it would be one of the biggest data breaches of the year behind Yahoo, which accused state-sponsored hackers in October of compromising at least 500 million accounts in late October. 2014 (see Massive Yahoo data breach breaks records).
It would also be the second to affect FriendFinder networks in as many years. In May 2015, it was revealed that 3.9 million AdultFriendFinder accounts had been stolen by a hacker dubbed MMR.[RG] (see Dating Site Breach Reveals Secrets).
The alleged leak is likely to cause panic among users who have created accounts on FriendFinder Network properties, which are primarily adult dating / romance sites, and those operated by the Steamray Inc. subsidiary, which specializes in streaming nude models webcams.
It could also be of particular concern, as LeakedSource claims the accounts date back 20 years to an early days of the commercial web when users were less concerned about privacy concerns.
FriendFinder Networks’ latest breach would only be matched in sensitivity by breaching Avid Life Media’s Ashley Madison extramarital dating site, which exposed 36 million accounts including client names, hashed passwords and partial credit card numbers (see Ashley Madison slammed by regulators).
Local file inclusion fault
The first hint that FriendFinder Networks might have another problem came in mid-October.
CSOonline reported that someone posted screenshots to Twitter showing a local file inclusion vulnerability in AdultFriendFinder. These types of vulnerabilities allow an attacker to provide input to a web application, which in the worst case could allow code to execute on the web server, according to an OWASP, The Open Web Application Security Project.
The person who found this flaw is known by the nicknames 1×0123 and Revolver on Twitter, which suspended the accounts. CSOonline reported that the person posted a redacted image of a server and database schema generated on September 7.
In a statement provided to ZDNet, FriendFinder Networks confirmed that it had received reports of potential security issues and initiated a review. Some of the allegations were in fact attempted extortion.
But the company fixed a code injection flaw that could have allowed access to the source code, FriendFinder Networks told the post. It was not clear if the company was referring to the local file inclusion flaw.
The violated sites appear to include AdultFriendFinder.com, iCams.com, Cams.com, Penthouse.com and Stripshow.com, the last of which redirects to the definitely unsecured work play with me[.]com, managed by Steamray, subsidiary of FriendFinder. LeakedSource provided sample data to reporters where these sites were mentioned.
But the leaked data could encompass many more sites, as FriendFinder Networks manages up to 40,000 websites, according to a LeakedSource representative via instant messaging.
A large sample of data provided by LeakedSource initially appeared to contain no current registered users of AdultFriendFinder. But the file “appears to contain a lot more data than a single site,” explains the LeakedSource representative.
“We didn’t split any data ourselves, that’s how it happened to us,” wrote the LeakedSource rep. “Their [FriendFinder Networks’] the infrastructure is two decades old and somewhat confusing. ”
Most passwords were just plain text, LeakedSource writes in a blog post. Others had been hashed, the process by which a clear text password is processed by an algorithm to generate a cryptographic representation, which is safer to store.
However, these passwords were hashed using SHA-1, which is considered dangerous. Computers today can quickly guess hashes that may match real passwords. LeakedSource says it cracked most SHA-1 hashes.
It appears that FriendFinder Networks replaced some of the clear text passwords with lowercase letters before the hash, which means LeakedSource was able to crack them faster. This also has a slight advantage, as LeakedSource writes that “credentials will be slightly less useful for malicious hackers to abuse in the real world.”
For a subscription fee, LeakedSource allows its customers to search through the datasets it has collected. However, it does not allow research on this data.
“We don’t want to comment directly on this, but we haven’t been able to make a final decision on it yet,” said the LeakedSource representative.
In May, LeakedSource has been deleted 117 million emails and passwords from LinkedIn users after receiving a cease and desist order from the company.