AFF/Penthouse has been hacked, 400 millions accounts, largest hack in 2016
 

All customer data has been liiberated, as per:
https://www.leakedsource.com/blog/friendfinder

400 million accounts, even 'closed' accounts are still in their database, and apparently the passwords were mostly stored insecurely.

better go download them lists and get to mailing :x

Wow! Thanks for the heads up :thumbsup

The bigger issue are the emailers that 'save' your mail list -- their compromising hacks are rarely reported -- ever notice how you get sudden bursts of Spam emails?

Thanks for the heads up :thumbsup

Not surprised.

how to get that list lol dont see it on the site!

Wow, it is really big...

its in the wild, just have to know the right people or the right places to look.

Nice piece of nugget :thumbsup

Try the dark web.

Old news.

or they just sell the older ones for a cash infusion.

not so much, this happened just a few weeks ago.

i think the old news you refer to was the last time they were hacked.

the sad part to me is how inept AFFs tech talent appears to be. they were storing passwords in plain text and/or SHA1. its not hard to reverse SHA1 passwords, then take the whole lot and properly secure them.

anyone still doing this deserves any bad press they get.

Uh oh...

That's what she said..:2 cents::2 cents:

year ago they have been hacked and now year later they still have passwords in plain and nobody have found that someone is downloading whole db? that is not like you download whole db every day, and one of first things is to limit any db operations for ips :2 cents: 400millions is 39x times more than all people in my country, and they have security like that? :helpme

teencat is 6bot finished now, no update for nearly 2 years?

password changed, on doing so there was some new tos i had to agree with before i could enter program, never read it anyone know the summary of the changes?

Another story said iCams and cams.com were hit as well. Fifteen million accounts on AFF were old customers who didn't renew. One organization unencoded 99% of passwords. Hacked a year ago and then again. I'd not trust them with my info.

I used to be on a 35% payout for life, but aff hacked me down to 20%...

400 mil emails wowza.

Surprising that these individuals and/or groups even release the data unless they have already hit it and want to further hide themselves in the additional flood of emails.

I guess it is for fame outside of that? They could make a killing with that many emails that's for sure.

We use SHA512, not SHA1, to hash our passwords. It's still not ideal. Any of you cyber experts wan't to chime in and make some suggestions. :2 cents:

Use some variable, other than the user name, to salt the password before you hash it.

Emails are a big problem. Not only are they of great marketing value -- email and user data is an extortion bonanza. If you value your businesses reputation and brand goodwill you need to actively secure this data.

The email marketing is problematic. For a medium sized business, doing high volume mail outs, the Spam server rules create security gaps that you have to trust to others (mailers).

The other point is network, database server and script security -- how did the hackers breach the system's security?

If we are FFN affiliates we dont need spread this info, my :2 cents:.

First off... AFF has been hackable since the beginning. And many individuals and hacking groups have been having their way with them.

It is common knowledge in hacking back channels that it is very easy to signup as an affiliate, and then fake, crap traffic, then go into the database and find whales, now swap the affiliate id for your own. Now you too can live in mother Russia like a czar with all of your ill gotten gains.

I would posit that this is going on with almost all affiliate programs dealing with dating and cams.

Btw, doesn't matter if you lock down mysql by ip since the hacker has full control of a white listed box.

400 million is huge base

it is easy, if you are original hacker, you will no release, if you are someone lucky and dumb, you will release, but mostly it is because the hole have been already filled, so no reason to keep the datas somewhere on local :winkwink:

hm, not sure about this one, because if the db operations are active only for one or two ips, i mean ip of billing or script which is writing into the db, you cannot do anything except from those two ips, and if someone change the settins, then some warning systems have to be activated. but, i am not good in those redneck things but looks like aff security guys have also a bit to learn ... another thing is that every big target will always be under attack, so have luck everyone :)

If FFN is under attack we need this thing get unnoticed, we can as a Webmasters, they dont give a fuck if trump wins and they dont use it as excuse. We need be the MAFIA.

yes man two years is a nice holidays, 6bot will be back at work very soon :winkwink:

It's approx 412 million user details (like passwords & account info) that have leaked. A) that is one massive and envy inducing user base and B) Any site with such a huge list needs top anti-hacking and anti-pirating security. I mean get more people on your Dev & Ops team and invest in top notch software, you've got the $$

Do they really have it or they get in the TINDER FREE APP storm too ? :)

I heard from many client of the Dating world that; they all have lose big at the arrival of the type of Tinder FREE APP Models .

Someone can put some intel on that ?

his point was if you have access to the one of the servers owning the whitelisted IPs in the database server, there is no way to keep the data safe. Ip protecting your database when your code is insecure doesn't do much for you.

ok man got it, thanks for the explanation :thumbsup

If' they've got servers to run and support 400 mill user base + plus traffic in the 100+ millions I'm assuming such a company has got the dough for security

Wohoo nice !!!!

In light of recent Friend Finder events we would like to share our statement from Penthouse.

“Prior to February 19th, 2016 Penthouse was a subsidiary of FriendFinder Networks, Inc. and subject to their controls and procedures. As of the close of the sale, Penthouse now operates independent of FriendFinder Networks, Inc.
We are aware of the data hack and we are waiting on FriendFinder to give us a detailed account of the scope of the breach and their remedial actions in regard to our data. Penthouse.com is a content site and does not collect data regarding our members sexual preferences. We take our members’ data and site security seriously. We assumed full control of Penthouse.com in May of 2016 and immediately adopted a blanket policy requiring all of our members to change their passcodes. At the time our members weren’t thrilled with the inconvenience but we remain committed to “best practices” in regard to keeping our members’ data secure.”

which begs the question, if the acquiring party noticed this huge issue with how passwords were being stored, why did AFF not, and/or why did they not fix at least that part of the situation long before this all happened?

incompetence or apathy?

That is a friend finder question. We are now divorced from them.

I bet 65% are from api dating db's that didn't really sign up cough cough

:pimp:pimp

:thumbsup

They look asleep at the wheel as anyone trying to get a response from affiliate support will tell you.

This....

True, except that you cannot process anything directly in your own database? You always have to use some billing tool to do it? Not!

You wish !:1orglaugh:1orglaugh:thumbsup

Me gusta much :pimp