Cyber Security

Hookup Site Adult FriendFinder Hacked, Millions Exposed

Hackers claim to have stolen 412 million user accounts from AdultFriendFinder and webcam sex chat sites

Cyber Security
Illustration: Diana Quach
Nov 14, 2016 at 10:47 AM ET

Adult FriendFinder, one of the largest hookup sites on the internet, is reportedly the victim of a massive hack.

LeakedSource.com, a site that collects and processes so-called “megabreaches,” giant hacks of user data, announced Sunday that hackers have stolen and shared nearly 340 million Adult FriendFinder accounts. Like Ashley Madison, a hookup site for spouses looking to cheat, Adult FriendFinder brands itself as more of a hook up site than a place to meet dates: Its tagline reads: “Hookup, find sex, or meet someone special now.”

Hackers also breached the larger FriendFinder network, which includes accounts from Cams.com, iCams.com, and Stripshow.com —now called PlayWithMe.com — as well as Penthouse.com and one other unknown domain. In total, the combined breaches contain 412 million accounts.

It’s the second time AdultFriendFinder was hacked since last year, when the sexual preferences of over 3.5 million accounts, among other details, were made public. Despite that, the website continued to store 103 million passwords in its databases in plain text, and encrypted the remaining 232 million using SHA1, an outdated hashing algorithm, according to the hacked data.

This hack, however, does not contain sexual preference information. LeakedSource.com sent Vocativ a sample of the hack, and the data contains usernames, emails, passwords, preferred language, and other data. LeakedSource.com said it was not releasing the full data “for various reasons.”

Asked to explain how it obtained the data, a spokesperson told Vocativ in an email: “One of our sources gave us the data but they wish to remain anonymous. We have no problems naming them if they ask to be named (eg: MySpace leak) but in this case the people don’t want that.”

The combined hacks include 5,650 registered .gov email addresses and 78.301 .mil ones. The most common password, used for 900,420 accounts, is the embarrassingly simple “123456.” The second most popular was “12345,” with 635,995 accounts, followed by “123456789,” used in 600,000 accounts.

News of the leak broke less than a month after a researcher revealed a security flaw on the website that allowed anyone to view database information by entering a specific URL, known as a Local File Inclusion.

While hundreds of millions of accounts were registered on AdultFriendFinder, just six million users logged into their accounts in 2016. That’s a major drop from the site’s 2014 peak of almost 68 million logins.

AdultFriendFinder had not commented on the hack publicly by Monday morning, and its Twitter feed was business as usual. Vocativ contacted the website, as well as Andrew Conru, founder and chairman of FriendFinder Networks, and will update this story if we receive a response.

Forbes reported in 2013 that FriendFinder Networks had filed for Chapter 11 bankruptcy protection, and had not turned a profit since 2008.