Adult Friend Finder Breached – 400 Million Accounts Leaked

Friend Finder Network Inc was hacked in October of 2016 for over 400 million accounts representing 20 years of customer data which makes it by far the largest breach we have ever seen. This event also marks the second time Friend Finder has been breached in two years, the first being around May of 2015. IT security experts from Imperva, Rapid7 and NuData Security commented below.

 Amichai Shulman, founder and CTO of Imperva:

“With all the hacks in the news and dumps of millions of user names and passwords, it’s astonishing but not surprising that people continue to use simple passwords across multiple websites, often reusing the same password for years.

It would be great if we could patch people – but the fundamental issue is that people aren’t perfect. No matter how much awareness is raised, and no matter how much we invest in training, we need to assume they will make mistakes such as reusing passwords. These mistakes have implications in the enterprise as we can see in the dump of user names from FriendFinder that people are using their work email – with 5,650 accounts ending in the domain .gov. What’s more, if you’re an enterprise or government organization, your employees could very possibly be putting your organization at risk. Companies need to proactively protect their customers, which also means protecting your data and applications.”

Tod Beardsley, Senior Research Manager at Rapid7:

“The Friend Finder breach is notable not only for its size, but also for the private nature of the data. While no direct personal information beyond the account credentials are included, it’s a relatively simple matter for an attacker armed with this data to start enumerating accounts automatically; the Friend Finder network, so far, has not confirmed the breach, and therefore, is not yet forcing password resets for its users. This is an invitation for attackers to race against any future account control measures implemented by FFN.

Breaches happen to all sorts of companies, large and small. When a company is holding the intimate personal details of its users, it’s critical they act quickly to mitigate losses and prevent further loss of privacy. Many of the victims of this breach shared frank and quasi-anonymous discussions concerning sexuality, sexual orientation, and gender identity issues; they may now be concerned about physical danger, abusive spouses, or repressive governments. I am hopeful that the Friend Finder Network will take corrective action, such as password resets and other account controls in order to protect their users.”

Robert Capps, VP of Business Development at NuData Security:

 “It’s apparent that with this massive hack of over 400 million records, combined with the Ashley Madison hack of over 37 million user accounts or the yahoo breach of a half a billion accounts, we really have arrived in the golden age of mass hacking with the intent to embarrass or destroy the credibility of another person, or group of people. This is an incredibly dangerous escalation, that will see even more sensitive data being stolen and opportunistically leaked for political or personal gain. We’ve already seen in the recent US election, a potential for leaks to be used to sway opinion as in the case of the Clinton Wiki-Leaked emails. We could see how leaks can be used as a kind of weaponized information blast to target certain parties, groups or organizations for retribution or political gain.”