FriendFinder breach shows it's time to be adults about security

Like all sectors -- government, retail, finance and healthcare -- the adult and porn businesses are feeling the consequences of not making security a priority, in the worst possible ways.

Namely, by getting hacked and pwned, hard. Take for example this week's breach-bloodbath, in which FriendFinder Networks (FFN) lost their Sourcefire code to criminal hackers and put their users in serious risk. Combined with Ashley Madison's many deceits, FFN also contributed to the deepening public mistrust about the very sensitive data exchange between adult companies and their consumers.

We found out this week that "sex and swinger" social network Adult FriendFinder was breached, along with all of its other sites. The FriendFinder Network Inc. (FFN) operates AdultFriendFinder.com, webcam sex-work site cams.com, Penthouse.com and a few others; a total of six databases were reported in the haul.

The hack and dump performed on FFN has exposed 412,214,295 accounts, according to breach notification site Leaked Source, which disclosed the extent of the privacy disaster on Sunday. Leaked Source said "this data set will not be searchable by the general public on our main page temporarily for the time being."

But as infosec blog Salted Hash put it, "The point is, these records exist in multiple places online. They're being sold or shared with anyone who might have an interest in them."

That's more users than Twitter and a third of Facebook's global membership. It's not bigger than Yahoo's abysmal security apocalypse, during which we just found out 500 million accounts were compromised in 2014. Yet FFN's epic catastrophe far exceeds the likes of eBay (145M), Anthem (80M), Sony (77M), JP Morgan Chase (76M), Target (70M) and Home Depot (56M).

Making it worse than a typical security fail is what's in the data.

The snatched records contain usernames, email addresses and passwords -- nearly all of which are visible in plain text. More than 900,000 accounts used the password "123456," 101,046 used "password," tens of thousands used words like "pussy" and "fuckme" -- which we suppose is exactly what FriendFinder did to the user by storing their passwords so recklessly.

But wait, there's more embarrassment to be had by all. Stolen FriendFinder Networks files show that 78,301 accounts used a .mil email address, 5,650 used a .gov email. Telegraph reports addresses associated with the British government include seven gov.uk email addresses, 1,119 from the Ministry of Defence, 12 from Parliament, 54 UK police email addresses, 437 NHS ones and 2,028 from schools. Suffice to say, federal employees are in the category of pervs who need to make sure they aren't reusing any of those bad passwords on other accounts.

As we discovered by files exposed in the Ashley Madison breach, FriendFinder wasn't removing profiles that users believed to have been closed or removed. The records have been found by Leaked Source to contain 15,766,727 million accounts that were supposed to have been deleted. They wrote, "It is impossible to register an account using an email that's formatted this way which means the addition of '@deleted.com' was done behind the scenes by Adult Friend Finder."

This breach actually happened last month. Salted Hash first reported the discovery of a serious security issue with FFN then revealed the beginning of this massive database catastrophe.

In October, a researcher who went by the names "1x0123" and "Revolver" posted screenshots on Twitter showing what's known as a Local File Inclusion vulnerability on Adult FriendFinder. Revolver is known for finding adult website security issues, and they confirmed to Salted Hash that the flaw was being actively exploited. Right away, Leaked Source began to receive files from FriendFinder's databases -- some 100 million records. Everyone involved believed this was just the beginning of a massive data breach.

After their October disclosure got FriendFinder's attention, Revolver tweeted that FFN's security issue was resolved and "no customer information ever left their site" -- which was clearly untrue. Their Twitter account is now gone.

FriendFinder Network conceded in a press release that it was "addressing a security incident involving certain customer usernames, passwords and email addresses" on Monday. It did not acknowledge the number of records exposed. Although FFN advised users who might be reading its press release to change their passwords, it still hasn't notified its customers directly, and there are no notifications on any of its compromised websites.

This was the second breach for the site in less than two years. In May 2015, Adult FriendFinder was hacked, and the attackers exposed details of nearly four millions users. The compromised information included sexual preferences and personal details, whether they are gay or straight, and whether they are seeking extramarital affairs, along with email addresses, usernames, dates of birth, postcodes and the unique internet addresses of users' computers.

In that instance, TekSecurity had discovered the files on a darknet forum, and noted that AFF hadn't reported the breach. They wrote about the files saying, "there is a ton of personally identifiable information (PII) sitting in a forum on the Darknet that has been viewed 1,756 times."

Driving home the harm to consumers, the post explained, "It is unknown how many times the breached data files have been downloaded. Though the files were stripped of credit card data, it is still relatively easy to connect the dots and identify thousands upon thousands of users who subscribe to this adult site."

Security is one area in which adult and porn sites are far behind, and no matter how you feel about sex work and adult entertainment, they are arenas in which strong security should be a priority for all involved. Porn industry trade association Free Speech Coalition, for its part, is trying to lead the charge. They recently released a brief with the Center for Democracy and Technology (CDT) to try and push porn sites to level up their secure connections and all use https. Right now, generally the adult sites that have better security are indies outside the mainstream industry, like queer porn sites and sex culture blogs (like mine).

Hopefully we don't need to have another OPM-of-adult security tragedy, like the FriendFinder debacle, to see the leading porn sites with the majority of users get up to speed in the fight against hack attacks. Right now, giants like Pornhub and Brazzers don't have https.

Encouraging adult sites to make small changes for better security, from hookup networks such as FriendFinder to porn tube sites, is a larger undertaking than you'd think. The idea that there is one "adult industry" is little more than that, an idea. In reality, it's a wide variety of small business entrepreneurs and large legacy businesses, with a ton of independent contractors constantly flowing through the global network. All are operating without access to the regulated business tools and safe promotional channels every other business in the world can use, of course. Because of the stigma.

That stigma also makes it a highly targeted sector. So, it's refreshing to see organizations like the Center for Democracy and Technology trying to help coordinate security changes like https for such a controversial industry without judgement.

But in order for it to work, adult mega-empires like FriendFinder will need to stop hiding behind press releases and own up to their security shortcomings. They'll need to be better than the businesses that aren't forced to live in the shadows, and they'll need to do what those businesses aren't doing: listen to hackers.

With the stunning size of this breach, let's hope they do -- for everyone's sake.

Images: Getty/cruphoto (AFF lead); REUTERS/Pawel Kopczynski (Password); Shutterstock (Darknet)