Hack Exposes 412 Million Accounts on AdultFriendFinder Sites

"Almost every account password was cracked, thanks to the company's poor security practices," reports ZDNet -- even for "deleted" accounts. An anonymous reader quotes their article: The hack includes 339 million accounts from AdultFriendFinder.com, which the company describes as the "world's largest sex and swinger community [and] also includes over 15 million "deleted" accounts that weren't purged from the databases. On top of that, 62 million accounts from Cams.com, and 7 million from Penthouse.com were stolen, as well as a few million from other smaller properties owned by the company. The data accounts for two decades' worth of data from the company's largest sites, according to breach notification LeakedSource, which obtained the data... The three largest site's SQL databases included usernames, email addresses, and the date of the last visit, and passwords, which were either stored in plaintext or scrambled with the SHA-1 hash function, which by modern standards isn't cryptographically as secure as newer algorithms.
The attack apparently coincides with the discovery of "a local file inclusion flaw on the AdultFriendFinder site, which if successfully exploited could allow an attacker to remotely run malicious code on the web server. " Ironically, Friend Finder Networks doesn't even own Penthouse.com anymore. They sold the site to a new owner last February.

Oh gee

[buss_error]

I am so sick and tired of databases not being properly protected. One thing you can do is to monitor outbound traffic. If you suddenly see a huge stream from the DB server to somewhere it doesn't normally go, a banshee cry should come from your monitoring system.

You can also include "trap" data in the DB and have pattern matching set up (on the system, in the network, on the routers). See the pattern, alarms and cell phones should start ringing.

Re:Oh gee

[BarbaraHudson]

What is your problem? It's AdultFriendFinder. Someone just found 412 million friends. NOT_A_BUG WORKS_AS_DESCRIBED :-)

Re:Oh gee

[doug141]

But wouldn't the development costs of a monitoring system come out of this quarter's profits, and therefore this quarter's executive bonuses? What's the executive downside to data loss... still nothing?

Re:Oh gee

[Dutch+Gun]

Yes, but you're arguing "if they were only competent, they could do x and y..." Obviously, they're not competent enough to even properly hash and salt usernames/passwords properly. So, of course they're not going to do anything else sensible, like what you're describing.

Re:Oh gee

[sg_oneill]

I once worked at a company that had lost 3.5 million in the previous year to hackers against half a million profit. From day one at that job I had identified the flaw and had been telling anyone who I could that it was serious and we needed to fix it. And constantly was told "We need to focus on new features". And you know what, even after the figures came out I *still* could not convince them to let me fix the security hole because they could claim it all back as "R&D tax credits". I quit the company in disgust.

Re:Don't worry

[NotInHere]

SHA has the best rounds, believe me. bcrypt and scrypt are so slow, they are all computation and no results.

Congrats

[nospam007]

I guess, some divorce-lawyer's wet dream just came true.

More than the population of the US

[JustAnotherOldGuy]

339 million accounts, but 338.8 million were fake accounts with pictures of large-breasted women who were eager to have sex with me. And they all live "near" me, even though I live on the International Space Station in low-Earth orbit.

Re: More than the population of the US

[EETech1]

I'm sure everyone on the station and NASA would know...

There's that rapid oscillation from ACs living quarters... AGAIN

Let's just wait and see if it stops in 3 minutes, it usually does.

Prepare for masturbatory post ejaculation altitude connection maneuver in... 5...4...3...2...1...

SHA-1 hash function, which by modern standards....

[geekpowa]

Surely SHA-1 is perfectly fine as long as you salt it sensibly? The only way you can materially improve on SHA-1 is to use a hashing algorithm that is computationally expensive.

Never hacked, not recommended. SHA-2 better

[raymorris]

There are no known SHA-1 collisions. Essentially, it's never been fully hacked. As you mentioned any hash must be salted for password use, and salted SHA-1 would be fine for most any public web site.

However, a partial crack of SHA-1 exists. The NSA or the Chinese government might well be able to crack it.

SHA-2 is recommended for all new hashes. For example, new TLS (SSL) certificates are signed with SHA-2, not SHA-1. In 2017, major browsers may stop accepting TLS certificates signed with SHA-1.

Upgrading can be easy if you used the crypt() system call, or a higher-level function that calls crypt() underneath. That includes MySQL encrypt(), Perl crypt(), etc. If you do, just change the salt you use for the initial hashing - the password CHECKING code remains unchanged.

Re:Chalk up another one for private industry

[ArtemaOne]

You realize all the military private info was hacked not long ago? Look up the OPM breach. Private industry security isn't consistently better/worse than government.

Re: So what's the password...

It is really funny that you should mention that. Many people who lived through the Hitler years say that Trump strongly reminds them of Hitler.

So in a way, you really did vote for Hitler this time around.

Amount of women I fucked from AFF.

Three. One even became my girlfriend for two years. So there are real women on there.