More than 412 million usernames, email addresses and passwords for user accounts associated with top adult-entertainment and dating websites have been exposed, thanks to a massive intrusion last month into the databases of the FriendFinder network, which runs AdultFriendFinder.com, Penthouse.com, Stripshow.com, Cams.com and iCams.com. User data from a sixth, unidentified, site was also affected.
FriendFinder stored user passwords in either plain text or as "hashes," strings of seemingly random letters and numbers that are the results of running passwords through complex mathematical algorithms. Sadly, the hashing algorithm used by FriendFinder wasn't very strong. About 99 percent of the 412 million FriendFinder passwords have been cracked, according to LeakedSource, a controversial website that obtained and analyzed the full data set.
If you've ever created an account on any of the FriendFinder sites, and you reused that password on other websites, change that password on the other sites immediately. If you deleted an account on a FriendFinder site months or years ago, sorry — it looks like the company kept your user records on the books anyway.
The FriendFinder databases have circulated online since the leak, and some records have time stamps from as recently as Oct. 17, so it's assumed the intrusion took place in the latter half of last month. A security researcher using the online name 1x0123 reportedly warned FriendFinder of a security flaw on Oct. 18th and FriendFinder responded that it would investigate the claims.
Even if you create a long, complicated, hard-to-guess password, it can still be cracked if a company stores it improperly — LeakedSource says that passwords of up to 32 characters were cracked in this instance. Even worse, FriendFinder seems to have converted all letters in passwords to lowercase before hashing them, making reversing the hashes much easier.
Ironically, that means users whose passwords mixed uppercase and lowercase letters are slightly safer, as malicious hackers may have a hard time guessing which letters would have originally been uppercase.
FriendFinder users who deleted their accounts prior to this breach are still affected. LeakedSource notes that a "significant amount of users had an email in the format of: firstname.lastname@example.org@deleted1.com." Websites sometimes do this to retain user information even after a user requests to be purged from the rolls.
How significant is the amount of users who tried to delete themselves? 15,766,727 user records include "@deleted" in the email field. So even if you felt guilty about using the service and abandoned it, it still kept your email address on file.
LeakedSource normally lets you search for your own email address for free, then charge you for further information. (Similar sites give you full access for free.) But it isn't giving the public access to the FriendFinder data set yet, citing "much internal deliberation" and "various reasons." We're guessing that it doesn't want to make it easy to search for the email addresses of your spouse, friends, foes or family members.
So what can you do?
— Never recycle your password. Reusing a password across multiple sites means that all those sites get put at risk when one service is hacked.
— Instead, use a password manager to create unique, complex, hard-to-guess passwords for each service you use. Mix upper and lowercase characters and use numbers and other symbols.
— We're not judging what you do online, but think twice before you do anything on the internet. Most online services will suffer data breaches eventually, and privacy is more a temporary state of mind than something you can believe in.