Friend Finder Network Inc was hacked in October of 2016 for over 400 million accounts representing 20 years of customer data which makes it by far the largest breach we have ever seen — MySpace gets 2nd place at 360 million. This event also marks the second time Friend Finder has been breached in two years, the first being around May of 2015. IT security experts from Redscan, AlienVault, ESET, Comparitech.com, Synopsis and Watchful Software have commented below.
Robert Page, Lead Penetration Tester at Redscan:
“Unfortunately many businesses simply do not learn their lesson and by failing to implement proper cyber security controls repeatedly place the privacy of users at risk. By storing passwords in clear text or insecure formats, companies render even complex passwords useless. Good user account practice should therefore involve use of unique passwords between websites.”
Javvad Malik, Security Advocate at AlienVault:
“I’m still getting my head around the extent of the Adult Friend Finder hack. But for all intents and purposes, it looks as if security wasn’t even an afterthought. Not only were passwords stored with trivial protection, but accounts that users had deleted, appeared to not have been deleted at all.
The impact from sites such as Adult Friend Finder could be as significant as the Ashley Madison breach which had reports of suicides as a direct result of the breaches. Whilst probably not at the same level, the Adult Friend Finder breach data does contain several thousand .gov and .mil email addresses.
In a word, it looks like Adult Friend Finder had as close to no security as you can get while running such a website.”
Mark James, Security Specialist at ESET:
“This leaked data is astounding. The fact that people are still using the most common passwords we see time and again is truly amazing. We know these passwords are out there, we know they are easily cracked, we know we should not be using them but we still do, it makes no sense. Companies need to start putting in measures to stop these passwords being used. We have the lists, they have the lists, it’s a simple lookup. Whilst I appreciate it’s our responsibility to protect our data there are some seemingly easy measures that could be put in place to stop the use of these extremely common words. Some websites already do this but more need to step up and help those people who still do not understand the need for password sense.
With the previous attacks we have seen on these types of websites you would have expected the password storage security to have been increased but sadly this is not the case here. The methods used were considered poor practise by some and terrible by others. Companies need to step up and take control of how they store and manage our data. Yes it’s our job to be responsible but on the same note they should encourage high standards and do more than the required basics to keep it safe.”
Lee Munson, Security Researcher for Comparitech.com:
“The Adult Friend Finder hack, like many that have gone before it, and many that will come after, highlights the poor approach to security taken by even the biggest sites on the web.
The use of SHA1 – whose effectiveness has been questioned since at least 2005 – is almost as disturbing as the fact that over 15 million deleted user account emails were still allegedly kept in the site’s database.
That over 100 million passwords were apparently stored in plaintext is, frankly, ridiculous. If true, the mastermind behind that idea should probably be feeling very uneasy about their future job prospects right now.
Worse, however, is the choice of passwords seemingly picked by those who signed up for an account. Classics such as “123456” and “password” have been flagged up time and again after other sites have been breached.
Both internet users and the security industry as a whole need to get their respective acts together on this in order to prevent the still very widespread and repetitive use of extremely poor credentials.”
Adam Brown, Manager, Security Solutions at Synopsys:
“When data breaches occur you want to be sure that the data that is extracted is encrypted to such a level that it is of no use to outsiders.
In this case verification has shown that some data is stored in clear text while passwords are encrypted with SHA-1 (not enough to thwart today’s adversaries).
Unfortunately penetration testing or application security scanning can offer almost no insight into how data is stored or processed inside an organisations applications and data stores.
A data centric approach is needed. It enables organisations to see how their data is managed by systems and more importantly whether it is encrypted and whether that encryption level is satisfactory.”
Justine Cross, Regional Director at Watchful Software:
“The public has long since run out of patience for companies that fail to protect their data, and the Friendfinder Network is just the latest example proving that businesses must take a new stance to keep information in their care safe.
It is no longer enough to focus on passwords and financial data – any level of breach can cause significant distress or financial harm to the affected customers. Stolen email addresses will leave the victims vulnerable to phishing attacks and fraud across other sites using the address, while names and other details can be used as a source of embarrassment or blackmail.
While companies obviously need to harden their defences against intrusion as much as possible, they must also prepare their data for the event of a successful attack. All data pertaining to customers should be automatically classified and encrypted the moment it is created, ensuring that only authorised users can open it. With this in place, even if data is stolen it will be much more difficult for criminals to make use of it.
Aside from the inevitable legal and reputational backlash, it’s also worth noting that the Friendfinder Network breach would certainly be subject to the upcoming EU GDPR and the huge potential fines it can levy.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.