In what could rival the size and impact of an earlier hack of MySpace, usernames, purchasing patterns, internet addresses and passwords of more than 412 million subscribers were exposed after Adult Friend Finder was breached last month.
In a number of instances, passwords stored in clear text are visible, and in other cases passwords hashed with SHA1 were easily cracked, according to breach notification website LeakedSource.
If preliminary reports prove true, this would be the worst hack of 2016, outdoing the MySpace hack whose tally reached 360 million.
And, this is not the first time that Adult Friend Finder, a portal operating a number of so-called 18+ services, has been breached. It was the target of an attack in May 2015.
Last month's attack hit six properties operated by FriendFinder Networks (FFN): Adultfriendfinder.com, Cams.com, Penthouse.com, Stripshow.com. iCams.com and an unknown domain. It was reported that the attackers purloined nearly 20 years of data.
Six properties operated by FriendFinder Networks (FFN) were affected by a breach:
Cams.com: 62,668,630 users
Penthouse.com: 7,176,877 users
Stripshow.com: 1,423,192 users
iCams.com: 1,135,731 users
Unknown domain: 35,372 users
Total: 412,214,295 affected users
FFN has so far not confirmed the attack, but did acknowledge being made aware of "potential security vulnerabilities."
“FriendFinder has received a number of reports regarding potential security vulnerabilities from a variety of sources," Diana Ballou, VP and senior counsel at FFN, told ZDnet. "While a number of these claims proved to be false extortion attempts, we did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability.”
Additionally, FFN has brought in a partner to look into the hack, according to Ballou, and promised to update customers.
A researcher, known on Twitter and other sites as 1x0123, provided evidence of a local file inclusion vulnerability (LFI) used to trigger the breach. LFI flaws enable attackers to "include files located elsewhere on the server into the output of a given application," according to CSO. The researcher added that the LFI was detected in a module embedded in the adult website's production servers.
Most commonly, a LFI results in data being displayed to the screen, or can be manipulated to perform more nefarious tasks, such as code execution. The bug is present in applications "that don't properly validate user-supplied input, and leverage dynamic file inclusion calls in their code," CSO explained.
The exposure of passwords is troubling, LeakedSource said, as the login details can expose user identities and make it simple for cyber thieves to use the information to hijack account and follow up with any manner of nefarious activity, such as hitting users up for extortion demands. Nearly a million users used "123456" as their password.
In this case, the fact that verification showed that some data is stored in clear text while passwords are encrypted with SHA-1 is not enough to thwart today's adversaries, Adam Brown, manager of security solutions at Synopsys, told SC Media in an emailed statement on Monday.
"Unfortunately penetration testing or application security scanning can offer almost no insight into how data is stored or processed inside an organisation's applications and data stores," he said. "A data-centric approach is needed. It enables organisations to see how their data is managed by systems and, more importantly, whether it is encrypted and whether that encryption level is satisfactory."
So far, based on information currently available around the breach, it's quite probable that a vulnerable web application was used to steal the data, Ilia Kolochenko, CEO of web security company High-Tech Bridge, told SC Media in an emailed statement on Monday. Gartner, he explained, highlighted in its Hype Cycle for Application Security 2016 that applications are the main source of data exfiltration. However, Kolochenko said that companies still tend to underestimate the risks related to web applications and consequently put their customers at huge risk. "With this breach of 400 million accounts we should expect a domino effect of smaller data breaches with password reuse and spear-phishing," he warned.
Some large companies, handling and processing personal data, still fail to respect and even intentionally neglect the basics of information security, Kolochenko added. "Despite numerous reports on increasing cybersecurity spending during the last few years, many companies do spend more, but aren't becoming more secure. A holistic risk assessment, comprehensive asset inventory and continuous security monitoring are often omitted, even though they are probably the most important parts of information security strategy and management."
This attack on AdultFriendFinder is extremely similar to the breach it suffered last year, David Kennerley, director of threat research at Webroot, told SC Media in an emailed statement on Monday. "It appears to not only have been discovered once the stolen details were leaked online, but even details of users who believed they deleted their accounts have been stolen again. It's clear that the organisation has failed to learn from its past mistakes and the result is 412 million victims that will be prime targets for blackmail, phishing attacks and other cyber fraud."
All companies, especially those dealing with sensitive customer data, must balance their security resources against their risk tolerance and look at threat intelligence solutions that provide them with the greatest scope of protection, Kennerley wrote. "It goes without saying that systems, software and processes should be regularly reviewed as previously accepted risk levels may no longer suffice."
Consumers, he added, need to think twice about posting anything online they may not want to show up in public. Every day there seems to be news of another breach," Kennerley said.
Kolochenko at High-Tech Bridge agreed that computer users should be wary of posting anything online they might not want to see made publicly available. He suggested that enforcement of general data protection regulation (GDPR) will probably help to minimise this type of incident in the future, though he did acknowledge it will take some time.