Any sizable breach of sensitive information like usernames and passwords represents a privacy catastrophe. But when those credentials link breach victims to sex sites, the consequences go beyond the risk of a hacked credit card or Twitter account and into the realm of humiliation and blackmail.
On Sunday, the website Leaked Source, a repository of breached data, revealed that hackers had compromised the online hookup and dating firm FriendFinder and stolen 412 million users’ information, including usernames, passwords, and email addresses. The data includes more than 339 million accounts on AdultFriendFinder.com—which advertises itself as the “the world’s largest sex & swinger community”—as well as tens of millions accounts from Penthouse.com and Stripshow.com. Though Leaked Source reports that some of the leaked passwords were cryptographically hashed to protect them, others were left unencrypted, and even the protected ones were easily cracked in almost all cases. “Neither method is considered secure by any stretch of the imagination,” Leaked Source writes.
In an email to WIRED, a spokesperson for Leaked Source says it received the data from an “underground source who wishes to stay anonymous,” but that it checked some of hacked credentials for a set of AdultFriendFinder accounts against previous leaks of data from a hacked password manager to verify that they were real. ZDNet also obtained a portion of the data and verified its authenticity by contacting affected users.
Leaked Source chose not to publish FriendFinder’s leaked data. But the site’s spokesperson warns WIRED that there’s little question it’s been distributed elsewhere online—the site often learns of hacker breaches via dark web marketplaces and hacker forums. “FriendFinder users should genuinely be concerned that people outside of the affected company know they registered to such a website,” the spokesperson says. “In no cases are we ever the only ones with leaked user data.”
Even users who once registered on one of FriendFinder’s hookup or porn sites and later deleted their accounts may still be caught up in the data spill. According to Leaked Source, 15 million of the breached usernames and passwords appear to have been from users who intended to delete their accounts but whose details were still retained by the company. This is the second time in a year that FriendFinder has been hacked; the earlier one, in May 2015, affected 3.5 million users.
FriendFinder didn’t immediately respond to WIRED’s request for comment on how it might be working to remediate the damage from the breach.
How Serious Is This?
Few forms of hacker compromise can be as damaging to victims as those that reach into their secret sex lives. When extramarital affairs site Ashley Madison was hacked last year, the public leak of 32 million users’ accounts reportedly led to at least three suicides.
FriendFinder’s data debacle represents nearly 13 times as many accounts as the Ashley Madison breach. FriendFinder users can only hope that the leaked data remains relatively hidden.In the Ashley Madison case, by contrast, data was widely circulated and even made searchable on a highly trafficked website.
For the breach’s victims, the usual post-hack advice applies: Immediately change your passwords on the affected sites if FriendFinder hasn’t yet reset them, as well as on any site where you’ve reused those passwords. (And in general, don’t reuse passwords.) But in this situation, victims should also stay tuned for any sign that the leaked data has been published in plain view—and brace for what may yet become a more serious violation of their online life.