Adult entertainment company FriendFinder Network has suffered a breach of over 400 million customer accounts, exposing the details of its various hook up and porn sites.
A database of just over 412 million accounts has been reported on the darknet, containing email addresses and passwords stored either in plaintext or SHA1 hashed.
While the data isn’t potentially as incriminating as that stolen from affairs site Ashley Madison, it still makes it possible to identify and therefore potentially blackmail users of the various sites belonging to FriendFinder Network.
These include AdultFriendFinder (339m users), Cams.com (62m), Penthouse.com (7m), Stripshow.com (1m), and iCams.com (1m).
The hack happened in October, with attackers using a Local File Inclusion exploit to infiltrate the network, according to data breach notification site LeakedSource.
The site said that given the circumstances surrounding this breach it would not be revealing a searchable version of the data set for public consumption.
Interestingly, it emerged that FriendFinder Network has been storing the details of users who have asked to leave and have their accounts deleted – over 15 million of them.
In addition, 99% of passwords are either plainly visible or easily crackable, LeakedSource said.
As per usual there are a large number of .mil (78,301) and .gov (5650) addresses on the breach list.
This isn’t the first time the company has been caught out, with around 3.5m AdultFriendFinder users exposed in a May 2015 breach. On that occasion, however, much more sensitive information on sexual preferences was apparently disclosed.
David Kennerley, director of threat research at Webroot, argued that the firm has failed to learn from its mistakes and as a result its customers will be exposed to blackmail phishing and fraud.
“All companies, especially those dealing with sensitive customer data, must balance their security resources against their risk tolerance, and look at threat intelligence solutions that provide them with the greatest scope of protection,” he added.
“It goes without saying that systems, software and processes should be regularly reviewed, and previously accepted risk levels may no longer suffice. For the consumer, unfortunately, you need to consider whether you’re ultimately happy with anything you post online being made public, as everyday there seems to be news of another breach.”