Thousands of Dot-Gov Emails Exposed in Adult Hookup Site Breach
Thousands of government and military email addresses were exposed when several adult hookup and pornography sites were hacked last month.
According to LeakedSource.com, 5,650 dot-gov email addresses and more than 78,000 dot-mil addresses were included in the breach of AdultFriendFinder.com which the company describes as the "world's largest sex and swinger community," and similar sites.
The attacked sites are all managed by Friend Finder Network and include porn site Penthouse.com, adult dating site AdultFriendFinder.com, and various live adult performance sites like Stripshow.com and Cams.com.
In all, Friend Finder Network operates more than 18 sites and the October breach uncovered more than 400 million accounts spanning the last 20 years.
For sake of comparison, this massive hack uncovered more accounts than the MySpace hack which uncovered 360 million. This was also the second time Friend Finder was breached in as many years.
Almost every account password was cracked, thanks to the company's poor security practices. Even "deleted" accounts were found in the breach.
Friend Finder Networks confirmed the site vulnerability to ZDNet, but would not outright confirm the breach.
"Over the past several weeks, FriendFinder has received a number of reports regarding potential security vulnerabilities from a variety of sources. Immediately upon learning this information, we took several steps to review the situation and bring in the right external partners to support our investigation," said Diana Ballou, vice president and senior counsel, in an email to ZDNet on Friday.
"While a number of these claims proved to be false extortion attempts, we did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability," she said.
Because the company has yet to examine the full set of addresses, it’s unclear how many of the government and military email addresses are genuine, LeakedSource said in an email to Nextgov.
“E.g.: firstname.lastname@example.org is probably not really Obama registering,” the company said. “A large number of them should be real if the Ashley Madison breach is any indication,” the company said, referring to the 2015 breach of an unconnected adult hookup site.
There’s no evidence the breach uncovered bank or credit card data, and LeakedSource is still unsure who carried out this attack.
Posted in General News