Less than 18 months ago, the extramarital-affair-enabling website Ashley Madison had a huge data breach. Data from over 30 million accounts was posted online, and there was a flurry of shaming and finger-pointing all over the internet. You’d think the industry would have learned.
Alas, it did not. A similar website, AdultFriendFinder, which calls itself “the world’s largest sex and swinger community,” got hit, and over 410 million account details, including email addresses and passwords, have been posted online. It’s one of the largest breaches of all time.
What Happened This Time?
In October, AdultFriendFinder and multiple sister sites (including Cams.com and Penthouse.com) were attacked. Websites under the control of Friend Finder Networks, the parent company, were vulnerable to a type of attack called local file inclusion. This attack gave hackers access to a number of Friend Finder databases, including billing information, member lists, and chat logs.
Friend Finder was also hacked last year, and the details of four million accounts was released. It appears they didn’t upgrade their security. This attack is much, much worse.
Among the information posted online were email addresses and passwords that hadn’t been securely encrypted, meaning that hackers could actually see plain text details. Obtaining an encrypted password won’t do an attacker much good, but actually obtaining email addresses and passwords not only compromises the identity of users, but also opens them to further attacks.
Adding insult to injury, a lot of deleted accounts — potentially up to 15 million — still had their information stored on the servers. So even people who had deleted their Friend Finder accounts may have been compromised. Some outlets are reporting that 20 years of data was released.
What You Need to Know
According to Leaked Source, the following websites were compromised:
There may also be others that we’re not aware of yet. If you have an account on any of these sites, or if you’ve ever had an account, it’s best to assume that your information has been compromised. Unless you’ve been in the habit of using unique, strong passwords for a long time, you should change all of your other account passwords. Now.
The AdultFriendFinder breach isn’t yet searchable on HaveIBeenPwned.com, and Leaked Source hasn’t posted a link to the database on their main page. So there’s no way to know for sure at the time of this writing if your information has been made public. It’s best to assume that it has.
Is It Really That Bad?
This hack could have serious repercussions. Sites like AdultFriendFinder and its affiliates collect important information that could be used by identity thieves. Your name, email and physical addresses, and phone number are all crucial to identity theft. If you notice any suspicious financial activity after a breach like this, contact the relevant institutions immediately.
The fact that these particular sites are adult-oriented means that this information could potentially be used for blackmail as well. If your hookups, one-night stands, and sexual preferences were to be made public, what would you do or pay to prevent it? It’s a sobering thought. Whether or not you want to bring up the fact that your name might be on one of these lists with someone close to you is a tough decision, too.
There’s always the risk of simple mayhem, as well. Plenty of hackers are out just to cause problems for other people. This could mean deleting your other accounts, taking over your social media feeds, sending spam or malware to the people in your email contact list, and many other things that aren’t inherently as bad as identity theft or blackmail, but are still really annoying.
How to Prevent This Next Time
Obviously we all hope there’s no next time. But based on what we’ve seen over the past couple years, it seems like there’s a good chance. So here’s what needs to happen.
1. We (all of us) need to demand better security.
Whether you had an account at one of these sites or not, this concerns you. The companies storing our data need to know that security matters. A lot. We need to start expecting companies to not only protect our data, but to explain to us in clear terms how they’re going to do that.
Sign petitions, fill out feedback forms, choose where you bring your business. These are the sorts of things that will show organizations that security is important.
2. Understand that nothing online is private.
Sure, encrypted messaging will keep people from eavesdropping. Encrypted email makes it nearly impossible for the NSA to read. But when you entrust your data to someone else, there’s a possibility that someday it will be made public.
Keep this in mind when you sign up for services like AdultFriendFinder or Penthouse. If you still want to sign up, at least open up a new email address and use an anonymous, temporary credit card (like Vanilla Visa) for that purpose. Managing multiple email accounts can be a pain, but think of the alternative.
3. Choose strong passwords.
If your data is leaked, there are a few ways to minimize the damage. The first and best way is to choose unique passwords for all of your accounts. Anyone who gets hold of one of your passwords isn’t going to be able to do anything with it, because it won’t work on any other sites.
We’ve shown you all sorts of ways to come up with strong passwords. And using a tool like LastPass’s password generator (pictured above) will give you nearly-uncrackable passwords. The top 10 passwords from AdultFriendFinder were as follows:
These ten passwords were in use by almost three million accounts, with “123456” making up over 900,000 of those. It’s embarrassing.
Come On, People
Our entire lives are online, and in many cases, they’re protected by little more than a single password. The companies we entrust our data to aren’t doing a good job of protecting it. We’re putting too much faith in them, and we’re not putting in the effort to create backstops. This just shouldn’t be happening anymore.
Hackers are out there, and they’re not going to go away. In fact, they’re only going to use more sophisticated methods to wreak havoc. We need to start demanding better protection from providers, and we need to take steps to protect ourselves.
Have you been affected by this data breach? Even if you’re not, will you reconsider your personal online security because of it? Share your thoughts in the comments below!