Slashdot Mirror
Hack Exposes 412 Million Accounts on AdultFriendFinder Sites (zdnet.com)
"Almost every account password was cracked, thanks to the company's poor security practices," reports ZDNet -- even for "deleted" accounts. An anonymous reader quotes their article:
The hack includes 339 million accounts from AdultFriendFinder.com, which the company describes as the "world's largest sex and swinger community [and] also includes over 15 million "deleted" accounts that weren't purged from the databases. On top of that, 62 million accounts from Cams.com, and 7 million from Penthouse.com were stolen, as well as a few million from other smaller properties owned by the company. The data accounts for two decades' worth of data from the company's largest sites, according to breach notification LeakedSource, which obtained the data... The three largest site's SQL databases included usernames, email addresses, and the date of the last visit, and passwords, which were either stored in plaintext or scrambled with the SHA-1 hash function, which by modern standards isn't cryptographically as secure as newer algorithms.
The attack apparently coincides with the discovery of "a local file inclusion flaw on the AdultFriendFinder site, which if successfully exploited could allow an attacker to remotely run malicious code on the web server. " Ironically, Friend Finder Networks doesn't even own Penthouse.com anymore. They sold the site to a new owner last February.
The attack apparently coincides with the discovery of "a local file inclusion flaw on the AdultFriendFinder site, which if successfully exploited could allow an attacker to remotely run malicious code on the web server. " Ironically, Friend Finder Networks doesn't even own Penthouse.com anymore. They sold the site to a new owner last February.
Almost another half billion accounts of people spread to the four winds because of how much better private industry is than government.
When you add up all the hacks private industry has allowed because of their incompetence one can easily count 2 billion people, many no doubt duplicates, having their personal information compromised.
But excuses will be made about how great private industry is, how it's not really the programmer's fault or the database administrator's fault or the web designer's fault. Nope, it will be someone else's fault because private industry does things so much better than government it's easy to pass blame and no one will be held accountable as a result.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Yes, but you're arguing "if they were only competent, they could do x and y..." Obviously, they're not competent enough to even properly hash and salt usernames/passwords properly. So, of course they're not going to do anything else sensible, like what you're describing.
Irony: Agile development has too much intertia to be abandoned now.