Cyber Incident Victim: FriendFinder Networks
Date:
Nov 2016
Location:
United States of America
Summary
A major breach of an adult-focused social network compromised over 412 million accounts across multiple affiliated platforms, including Cams.com and Penthouse.com, marking the company's second significant security incident within two years. Attackers exploited weak security practices, including storing passwords in plaintext or using outdated SHA-1 hashing, enabling the cracking of 99% of credentials—even recovering supposedly deleted accounts. Stolen data encompassed usernames, email addresses, payment statuses, VIP membership details, IP addresses, browser information, and last login timestamps. The intrusion coincided with public disclosure of a critical local file inclusion vulnerability that could permit remote code execution. Previous breaches had exposed sensitive user attributes like sexual preferences and affair-seeking behavior from millions of accounts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In November 2016, FriendFinder Networks suffered a major breach compromising over 412 million accounts across its AdultFriendFinder platform, alongside 62 million accounts from Cams.com, 7 million from Penthouse.com, and additional records from smaller affiliated sites. The attack coincided with security researcher Revolver’s disclosure of a critical local file inclusion vulnerability in AdultFriendFinder’s systems, which could enable remote code execution on web servers. This marked the company’s second significant breach within two years, following a 2015 incident that exposed nearly 4 million accounts containing sensitive user preferences and affair-seeking statuses. The compromised SQL databases stored usernames, email addresses, last login dates, and passwords—many in plaintext or weakly hashed using the outdated SHA-1 algorithm. LeakedSource analysis revealed 99% of these passwords were successfully cracked due to inadequate cryptographic protection. Additional stolen data included membership tiers (VIP status), browser details, last-used IP addresses, and payment transaction indicators. Even accounts previously marked as "deleted" remained intact within the databases, amplifying the breach’s scope.
ZDNet verified portions of the dataset by contacting affected users, with one confirming limited site usage under fabricated credentials and another expressing unsurprised resignation at the breach. Further validation occurred through password reset tests on two dozen accounts linked to disposable email addresses. The exposure of persistent identifiers like emails and reused passwords created widespread credential-stuffing risks, while membership and payment data increased potential for extortion or targeted scams. No internal detection mechanisms, containment procedures, or victim remediation efforts were described in available reports. The incident underscored systemic security failures within FriendFinder Networks, including repeated vulnerabilities to SQL database exfiltration, reliance on obsolete password storage methods, and retention of deceptively labeled "deleted" user records.