AdultFriendFinder Notifies Customers About Massive Breach—Finally

Hookup and swinger site AdultFriendFinder has finally started notifying users that its website was hacked in what is the largest breach of 2016, exposing the personal information and sexual preferences of hundreds of millions of user accounts.

The site, which uses the classy tagline of “Hookup, Find Sex or Meet Someone Hot Now,” has 339 million accounts that have been compromised—including more than 15 million deleted accounts that the company never purged from its database. Some of the accounts are two decades old. Also, sister adult webcam sites, and were hit, as was In all, 412 million users are affected.

Suffice it to say that the effects of the breach could be extensive.

LeakedSource had reported the breach last week, saying that hackers gained access to the company’s systems in October. AdultFriendFinder at first didn’t admit the breach. Vice president Diana Ballou said in an email to ZDNet only that the company “did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability. FriendFinder takes the security of its customer information seriously and will provide further updates as our investigation continues.”

Penthouse Global Media’s Kelly Holland however made no bones about it: She told ZDNet that her company was “aware of the data hack and we are waiting on FriendFinder to give us a detailed account of the scope of the breach and their remedial actions in regards to our data.”

A notice was posted a couple of days later, but the parent company, FriendFinder Network, has waited a week to start actively warning customers of the issue—which it is doing by surfacing a message when a user logs in to his or her account.

"We recently learned of a security incident that compromised certain customer usernames, passwords, and email addresses," reads the message. "Immediately upon learning this information, we took several steps to investigate the situation and retained external partners to support our investigation."

The decision to not email or notify users outside of their AdultFriendFinder accounts obviously doesn’t help those who thought they had deleted their accounts and those that have dormant ones. And, regardless, for the company to take this long to warn its users that there was a problem is “frankly appalling,” said independent researcher Graham Cluley.

 “Which meant that hackers had over a week's head start to exploit members' terrible passwords, or explore whether some users were committing the common cardinal sin of reusing the same passwords on multiple websites,” he said.

Tony Gauda, CEO of ThinAir, noted that consumers have begun judging businesses for how they respond to cyberattacks, instead of simply judging them for being breached in the first place.

“The public has come to expect a thorough (and speedy) response on the part of the organizations they entrust their PII with, which is something FriendFinder Networks failed to deliver,” he said, via email. “By taking a week to notify affected users directly, you essentially leave the door wide open for cybercriminals looking to compromise an individual’s various accounts. With up to 400 million accounts' credentials compromised, it’s inevitable that some (if not most) weren’t created with proper password hygiene, and can likely access other sensitive accounts. Incidents such as this underscore the need for stricter breach notification guidelines, as time and time again companies fail to follow the simplest best practices.”

This is the second breach for AdultFriendFinder in less than two years. In 2015, a breach affected almost 4 million members.

Photo © Vladimir Gjorgiev

What’s Hot on Infosecurity Magazine?