As we predicted, the massive MySpace breach of over 359 Million user files did not retain its “Top Of The Breached” crown for long. LeakedSource this week reported receiving evidence of a FriendFinder Networks data breach topping 412 Million user records. That makes it one of the largest documented breach in recording history.
That’s bad news for the FriendFinder’s network of sites that offer to help adults “hook up, find sex or meet someone special right now.” Some of the compromised records date back 20 years. Each record includes name, email address, and password. More personally identifiable information (PII) including the last date each user logged in were also compromised.
LeakedSource indicated even deleted accounts were impacted.
“We’ve seen this situation many times before and it likely means these were users who tried to delete their account but the data is obviously still kept around,” the site indicated.
This is FriendFinder Networks’ second hack since May 2015. In that breach, sexual preferences were also leaked. This year’s intrusion hit AdultFriendFinder.com and Penthouse.com as well as a number of webcam video sites. Yet the company claims to have excellent data security.
Their website boasts, “With over 700,000,000 (not a typo; that’s 700 MILLION!) people engaged with at least one of our websites, and a track record of over twenty years of positive customer experiences, we continue our mission of pioneering new development of innovative, social media technology connecting people every day all over the world.”
It’s doubtful any of those hacked will feel positively engaged now. Nor were their passwords properly protected. LeakedSource.com indicated that over 99% of passwords from the company’s network were stored in plain text or have been easily decrypted. That means the customers who chose complex passwords like “antidisestablishmentarianism” or “killerklownzfromouterspace” are out of luck too. So are the dozens reportedly using this password for their adult accounts: “ifyourreadingthisitstoolate.”
The six compromised sites have yet to post alerts regarding the breach, but FriendFinder Networks did release a public relations statement. It contains more advice on how to respond.
A significant number of .gov or .mil email addresses are part of the hack. Because of potential job impacts as well as the highly sensitive nature of this breach, LeakedSource has no plans to make the database searchable to determine if your email address (or someone else’s) is on the list.
The worst threat, aside from job impact, potential public exposure or blackmail, is the likely arrival of malware via phishing emails that targets these 412 million accounts.
If you fall for this phishing attempt in your inbox, you could face far more than malware on your computer. If your machine gets infected, ransomware would be a highly predictable outcome and your device will become unusable unless you pay up. To avoid this outcome, our advice is to back up your data right now in case you become infected.