AdultFriendFinder Network Hack Of 412 Million Accounts Eclipses Ashley Madison Breach

In what is being described as the largest security breach of 2016, hackers stole over 400 million user credentials spanning two decades of customer data from Friend Finder Network, Inc., the company that owns and operates several adult-themed websites, including the online dating and hookup site This is also the second time in two years Friend Finder has been hacked.

The bulk of compromised accounts came from AdultFriendFinder, the "world's largest sex and swinger community," which coughed up more than 339 million accounts. Hackers used a local file inclusion exploit to break in and steal customer data. Among the account information collected were over 15 million deleted emails. The significance of that is anyone who may have signed up out of curiosity a decade or more ago is still a victim of the breach.


In addition those accounts, hackers stole details belonging to over 62 million accounts and more than 7 million accounts, along with around 2.5 million accounts from other domains belonging to Friend Finder Network.

To make matters worse, some of the passwords were stored in plain text even though this isn't the first time Friend Network Network has been hacked. Others were hashed, though those were changed to all lowercase before storing them, making them easier to attack (but perhaps less susceptible to abuse in the real world).

"Usually people ask us how many .gov and .mil emails exist on sites like this which is easy enough to check. There are 5,650 .gov registered emails on all websites combined and 78,301 .mil emails," said LeakedSource, which obtained the compromised data.

Many of the accounts appear to have been created with easily guessable passwords, such as 123456, password, and qwerty. The bulk of those were probably created as throwaway accounts, though that's not the case for all of them. Due to the size of the breach, which exceeds that of Ashley Madison last year, LeakedSource said it is taking the unusual step of not making the data searchable at this time.