Online hookup website “Adult FriendFinder” might have been hacked—again.
On Tuesday evening, a hacker known as Revolver or 1×0123 claimed to have breached into the service, posting two screenshots that appeared to show he had access to some portion of the website’s infrastructure. Another notorious hacker known as Peace also claimed to have hacked in, and obtained a database of 73 million users.
The screenshots themselves didn’t prove Revolver’s claims, but Peace told Motherboard last week that he had hacked into Adult FriendFinder. When contacted after Revolver’s claims on Twitter, Peace said that he gave some other hackers, including Revolver, “everything, all [FriendFinder Network],” mentioning the site’s parent company.
Adult FriendFinder, which bills itself as “the world’s largest sex & swinger community,” was already hacked in 2015. At the time, a hacker known as ROR[RG] allegedly breached it and leaked a database containing the details of almost 4 millions users, including extremely sensitive information such as users’ relationship statuses, sexual preferences, and their email addresses, usernames, and location. The hacker publicized the breach on the hacking forum Hell, and put the stolen data for sale for 70 Bitcoin (around $16,700 at the time).
Peace said he took advantage of a backdoor that was publicized on Hell two years ago, and said he used it last week to download a database of 73 million users.
Dan Tentler, a security researcher who founded the startup Phobos Group, said he reviewed data leaked online, including a set of files that Peace sent to Motherboard. Based on the files, Tentler said the hacker’s claims appeared to be legitimate, and indicated a serious data breach at Adult FriendFinder.
“Theoretically? Complete end-to-end compromise,” Tentler told me, adding that one of the stolen files contained employee names, their home IP addresses, and even Virtual Private Network keys to access Adult FriendFinder’s servers remotely.
Security researchers who saw Revolver’s claims on Twitter said the flaw the hacker leveraged appeared to be a Local File Inclusion, a common vulnerability in poorly written web applications that allows an attacker to hack into a website and read file from the system. Peace and Revolver also said the flaw they exploited was the same.
Such a flaw can let hackers do “all kinds of things,” including accessing any parts of the server, running code on it, and even—theoretically—spying on users’ activities, according to a defensive security consultant who goes by the moniker Munin.
In a Twitter message, Revolver said he exploited the vulnerability last month, and he is now working on getting access to the databases.
On Wednesday morning, a spokesperson for FriendFinder network said the company was “aware of reports of a security incident.“
“We are currently investigating to determine the validity of the reports. If we confirm that a security incident did occur, we will work to address any issues and notify any customers that may be affected,“ the spokesperson’s statement read.
Revolver tweeted publicly at Adult FriendFinder and claimed to have reported the vulnerability he used to get in, but after a couple of hours seemed to have given up.
“No reply from #adulfriendfinder.. time to get some sleep,” he tweeted. “They will call it hoax again and I will fucking leak everything.”