Cyber Incident Victim: FriendFinder Networks
Date:
Oct 2016
Location:
United States of America
Summary
A hacker known as Revolver claimed unauthorized access to the Adult FriendFinder service, posting screenshots suggesting infrastructure compromise, while another hacker, Peace, asserted possession of a 73 million user database allegedly obtained via a previously publicized backdoor. Security analysis of leaked files indicated legitimate compromise, including exposure of employee names, personal IP addresses, and VPN keys for remote server access. The service’s parent company acknowledged investigating potential security incidents but had not confirmed the breach at the time of reporting, while the hackers threatened further data leaks following unaddressed vulnerability disclosures. This followed a prior breach where sensitive user information—including sexual preferences and contact details—was stolen and sold.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On October 18, 2016, hackers using the aliases Revolver (also known as 1×0123) and Peace publicly claimed to have breached Adult FriendFinder, a subsidiary of FriendFinder Networks. Revolver posted screenshots suggesting access to the website’s infrastructure, though these images alone did not conclusively prove the breach. Separately, Peace asserted he had obtained a database containing records of 73 million users, telling Motherboard he exploited a backdoor vulnerability that had been publicly disclosed on the Hell hacking forum two years prior. Peace further stated he shared access to FriendFinder Networks’ systems with other hackers, including Revolver. Security researcher Dan Tentler analyzed files provided by Peace, confirming the breach’s legitimacy based on evidence of compromised employee data—including names, home IP addresses, and VPN keys for remote server access. Tentler characterized the intrusion as a "complete end-to-end compromise," indicating extensive network access. Revolver claimed on Twitter to have exploited the same vulnerability in September 2016 and threatened to leak data after receiving no response from Adult FriendFinder regarding his vulnerability report.
This incident followed a prior breach in 2015, when a hacker known as ROR[RG] leaked sensitive data—including sexual preferences, relationship statuses, email addresses, and locations—of nearly 4 million users, selling the dataset for 70 Bitcoin ($16,700 at the time). The 2016 breach impacted a significantly larger user base, with 73 million records allegedly exfiltrated. FriendFinder Networks acknowledged the reports on October 19, stating it was investigating the incident’s validity and would notify affected customers if confirmed. Revolver escalated threats to leak data after the company’s initial silence, tweeting, "They will call it hoax again and I will fucking leak everything." The compromised data exposed critical operational details, such as internal VPN credentials, raising concerns about systemic security weaknesses. No subsequent confirmation of customer notifications or containment measures was disclosed in the immediate aftermath of the reports.