Adult friend finder leak
Friend Finder Networks, stung last year when its Adult Friend Finder website was breached, could not be immediately reached for reaction (see Dating Website Breach Spills Secrets).
Troy Hunt, an Australian data breach expert who runs the Have I Been Pwned data breach notification site, says that at first glance some of the data appears legitimate, but it's still early to make a call. "I'd need to see a complete data set to make an emphatic call on it." If the data is accurate, it would mark one of the largest data breaches of the year behind Yahoo, which in October blamed state-sponsored hackers for compromising at least 500 million accounts in late 2014 (see Massive Yahoo Data Breach Shatters Records).
It wasn't clear if the company was referring to the local file inclusion flaw.
The sites breached would appear to include Adult Friend Finder.com, i Cams.com, Cams.com, and Stripshow.com, the last of which redirects to the definitely not-safe-for-work playwithme[.]com, run by Friend Finder subsidiary Steamray.
Today's computers can rapidly guess hashes that may match the real passwords.
Leaked Source says it has cracked most of the SHA-1 hashes.
But the company fixed a code injection flaw that could have enabled access to source code, Friend Finder Networks told the publication.Others had been hashed, the process by which a plaintext password is processed by an algorithm to generate a cryptographic representation, which is safer to store.Still, those passwords were hashed using SHA-1, which is considered unsafe.Leaked Source provided samples of data to journalists where those sites were mentioned.But the leaked data could encompass many more sites, as Friend Finder Networks runs as many as 40,000 websites, a Leaked Source representative says over instant messaging.It also would be the second one to affect Friend Finder Networks in as many years.In May 2015 it was revealed that 3.9 million Adult Friend Finder accounts had been stolen by a hacker nicknamed ROR[RG] (see Dating Website Breach Spills Secrets).CSOonline reported that someone had posted screenshots on Twitter showing a local file inclusion vulnerability in Adult Friend Finder.Those types of vulnerabilities allow an attacker to supply input to a web application, which in the worst scenario can allow code to run on the web server, according to a OWASP, The Open Web Application Security Project."We didn't split any data ourselves, that's how it came to us," the Leaked Source representative writes."Their [Friend Finder Networks'] infrastructure is two decades old and slightly confusing." Many of the passwords were simply in plaintext, Leaked Source writes in a blog post.