Adult FriendFinder (2016) Breach
Oct 16, 2016
219,950,376 rows
What happened in the Adult FriendFinder (2016) Breach?
DataBreach.com Team · November 30th 2024, 7:00 pm EST
On 16 October 2016, Friend Finder Networks (FFN) - operator of AdultFriendFinder.com, Cams.com, Penthouse.com, Stripshow.com and iCams.com - suffered one of that year’s biggest breaches. Breach-notification service LeakedSource obtained a dump containing 412 million account records, about 339 million of them tied to AdultFriendFinder alone.
What was stolen
Attackers exfiltrated usernames, email addresses, IP logs, spoken-language settings and passwords. Troublingly, 99 percent of passwords were stored either in plain text or with unsalted SHA-1, making them easy to crack. Analysts also uncovered 15 million “deleted” profiles that FFN had never actually removed.
How the intruders got in
Forensic reviews point to a Local File Inclusion (LFI) vulnerability in an FFN web application. Exploiting the flaw let attackers read configuration files and pivot into production databases, siphoning two decades of registrations in one hit.
Scope by the numbers
While 412 million rows were leaked, we counted ≈219 million unique email addresses after deduplication - many users kept multiple profiles and “deleted” rows were still present. The dataset was traded privately on underground forums before landing in public breach-notification services in February 2020.
Immediate fallout
Soon after disclosure, cracked credential lists circulated widely, fuelling credential-stuffing attacks on mainstream sites and a rush of sextortion spam citing AdultFriendFinder membership. Privacy advocates stressed that, unlike retail leaks, the exposure risked blackmail and involuntary outing of users’ sexual preferences.
Company response
FFN said it “immediately engaged external security experts,” forced network-wide password resets and moved new credentials to bcrypt hashing, yet critics argued the steps were reactive and left long-standing patch-management and data-retention issues unresolved.
Ongoing significance
FFN’s public statement on 14 November 2016 confirmed a security investigation but offered no detailed breakdown, leaving customers dependent on researchers for clarity. No payment cards were exposed - billing is outsourced - yet time-stamped IP addresses and login histories gave attackers a granular view of user behaviour.
