According to this article from Threatpost, an attack on the FriendFinder network has left details on more than 400 million accounts exposed for sites including Adult FriendFInder, Penthouse.com and Stripshow.com and others. There’s a good bit of info in the linked ThreatPost and ClarkHoward.com articles but there were a couple of things that were glossed over that I wanted to touch on.
The data that was stolen is said to include usernames, passwords (some in plain text), email addresses, dates of last visits and IP address. Even though the leak doesn’t include things like real names and credit card information, it’s still a gold mine in the hands of a skilled attacker. The email address, if the work address was used, can lead directly to the users employer. There’s a good chance that the same password (or some derivative) was used for the work email and any / many services they may have access to at work (web-based email, VPN, terminal server / remote desktop, etc.), giving the attacker an easy into the corporate network. Also, it’s generally safe to assume that many of the username / password combinations have a good chance of working on other sites (social media, bank, credit card, etc.). The IP Address and last logon time can give the attacker some information about where the user is geographically (i.e., if it was a residential Comcast IP address in Georgia, it’s safe to assume the target is in Georgia or, if it was an IP address of a hotel, there may be some infidelity that could be leveraged against the target). Combine that hotel IP address with the newly gleaned data from the target’s social media accounts (since they used the same password and haven’t enabled 2 factor authentication), and the attacker has quite the dossier on the target.
- Don’t use your work email for non-work related activities
- Don’t re-use passwords (and, password1 should not be considered more or less secure [or even different] from password2)
- Just because you didn’t give your real name and / or address online, don’t assume that you’re anonymous.
There were apparently 15 million accounts that were deleted by users but never deleted by FriendFinder. Combine that with the fact that some of the people signed up through sites like Penthouse, iCam and the like and not through FriendFinder directly *and* they deleted their accounts possibly years ago, and it’s likely a good assumption that many of them have no idea that they were impacted.
- It’s important to note the fine print when you sign up for anything online, especially ‘free’ things (if the service is free, you’re the product). Email accounts are free (gmail, Yahoo, hotmail, etc.), so signing up for a single-purpose email account if it’s not something that you’re 100% certain is legit may not be a bad plan.
I noted it earlier but the articles both note that ‘some’ of the passwords were stored in the clear / unencrypted, further lowering the bar for an attacker to use the stolen credentials.
- This should serve as another reminder of the importance of not re-using passwords.
Misc / Erratta