Naked Security Naked Security

Millions of AdultFriendFinder user accounts hacked – again

One hacker is claiming to have stolen a database of 73 million users: a whole lot of details for a whole lot of people who'd rather keep that bedroom door closed.

Two notorious hackers – one known as Revolver or 1×0123 and one known as Peace – are separately claiming to have broken into the hookup site AdultFriendFinder (AFF) and breached millions of user account details.

According to Motherboard’s Vice, 1×0123 on Tuesday evening posted two screenshots that seem to show access to a portion of the AFF site’s infrastructure.

Peace is also claiming to have stolen a database of 73 million AFF users. Also known as peace_of_mind, he’s the same dark operator who was selling 65 million stolen Tumblr passwords on the Dark Web in May.

Vice posted a copy of a tweet from 1×0123, but the links aren’t working, possibly because the hacker’s tweets are hidden to all but his followers, or possibly because they’ve been deleted.

At any rate, according to the publication, the tweet communicated a spicier version of this:

.@adultfriendfind F**kload of databases with same user/password + runing as root pic.twitter.com/SFXfdLJmfi
— 1×0123 (@1×0123) October 19, 2016

Peace told Motherboard last week that he’d hacked into AFF and passed on “everything, all [FriendFinder Network],” to other hackers.

That reference is to the site’s parent company, FriendFinder Networks. The company has confirmed the breach and said that it’s now investigating.

From a statement sent to news outlets:

We are aware of reports of a security incident, and we are currently investigating to determine the validity of the reports. If we confirm that a security incident did occur, we will work to address any issues and notify any customers that may be affected.

AFF bills itself as the “world’s largest sex & swinger community.”

It may be the largest, but when it comes to privacy, it’s sure not the safest: this is the second time it’s been hit.

In May 2015, it was hit by a hacker known as ROR[RG], losing a database with details of almost 4 millions users, including users’ relationship statuses, sexual preferences, and their email addresses, usernames, and location.

A blogger named Teksquisite, “a self-employed IT consultant,” said that she’d uncovered the same data cache a month earlier and accused the hacker of attempting to extort money from Adult Friend Finder before leaking the stolen account data.

According to Teksquisite, 400,000 of the accounts included details that could be used to identify users, such as their username, date of birth, gender, race, IP address, zip codes, and sexual orientation.

As for the current breach, Peace told Motherboard that he’d pried open a backdoor that had been publicized on the hacking forum Hell: the place where last year’s breach data was listed for sale for 70 Bitcoin.

His claims have been verified by Dan Tentler, a security researcher and founder of a startup called Phobos Group. Peace had also sent a set of files to Motherboard for verification.

Tentler:

Theoretically? Complete end-to-end compromise.

Tentler said that one of the stolen files contained employee names, their home IP addresses, and Virtual Private Network keys to access AFF’s servers remotely.

Security researchers have said that the flaw Peace used to get at the database was a very common one known as Local File Inclusion (LFI).

LFI is one of those web application attacks that just refuses to die. In fact, the only such attack on Akamai’s most recent State of the Internet Security Report that was more active than LFI was SQL injection.

As the Open Web Application Security Project (OWASP) defines it, LFI is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application.

Attackers who get in via LFI can read files from, and run code on, any part of the server, in other words.

Revolver reportedly tweeted about the vulnerability he used to get in, but after a few hours, he was ready to give up and just dox it all.

A de-spicified version of Revolver’s tweet, which appears to also have either been deleted or which is hidden from non-followers:

No reply from #adulfriendfinder.. time to get some sleep. They will call it hoax again and I will f**king leak everything.

If you have an account on AFF, it would be a good idea to change your password. Also, change your password for anywhere else you’ve used that email/password combination (not that you’d reuse passwords of course).

If you need help in choosing a new password, check out our video below:

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)