Big W has self inflicted data leak but nothing compared to the massive data breach at the Friend Finder Network.

November 14, 2016 |

Data breaches involving the personal information of thousands of people barely rates a mention in data security journals.  Even those involving hundreds of thousands are seemingly ubiquitous, though they should not be.  The Sony, Target,  Home Depot and Ashley Madison breaches  involved personal information of millions of individuals.  This year’s Yahoo breach involved  500 million records.  None of these breaches were inevitable.  They were almost invariably facilitated by dreadful privacy practices, poor cyber security and inadequate investment into systems to deal with breaches when they do arise.

For the second time in 2 years Friend Finder has been breached.  The first breach occurred in May 2015 and resulted in 3.5 million records being accessed.   This latest breach involves an estimated 412 million users. There is a complete report by ZDNet which shows that almost every account password was cracked not by evil geniuses but due to poor security practices.  The article provides:

A massive data breach targeting adult dating and entertainment company Friend Finder Network has exposed more than 412 million accounts.

The hack includes 339 million accounts from, which the company describes as the “world’s largest sex and swinger community.”

That also includes over 15 million “deleted” accounts that wasn’t purged from the databases.

 And the list of attacks keeps getting longer…

On top of that, 62 million accounts from, and 7 million from were stolen, as well as a few million from other smaller properties owned by the company.

The data accounts for two decades’ worth of data from the company’s largest sites, according to breach notification LeakedSource, which obtained the data.

The attack happened at around the same time as one security researcher, known as Revolver, disclosed a local file inclusion flaw on the AdultFriendFinder site, which if successfully exploited could allow an attacker to remotely run malicious code on the web server.

But it’s not known who carried out this most recent hack. When asked, Revolver denied he was behind the data breach, and instead blamed users of an underground Russian hacking site.

The attack on Friend Finder Networks is the second in as many years. The company, based in California and with offices in Florida, was hacked last year, exposing almost 4 million accounts, which contained sensitive information, including sexual preferences and whether a user was looking for an extramarital affair.

ZDNet obtained a portion of the databases to examine. After a thorough analysis, the data does not appear to contain sexual preference data unlike the 2015 breach, however.

The three largest site’s SQL databases included usernames, email addresses, and the date of the last visit, and passwords, which were either stored in plaintext or scrambled with the SHA-1 hash function, which by modern standards isn’t cryptographically as secure as newer algorithms.

LeakedSource said it was able to crack 99 percent of all the passwords from the databases.

The databases also included site membership data, such as if the user was a VIP member, browser information, the IP address last used to log in, and if the user had paid for items.

ZDNet verified the portion of data by contacting some of the users who were found in the breach.

One user (who we are not naming because of the sensitivity of the breach) confirmed he used the site once or twice, but said that the information they used was “fake” because the site requires users to sign up. Another confirmed user said he “wasn’t surprised” by the breach.

Another two-dozen accounts were verified by enumerating disposable email accounts with the site’s password reset function. (We have more on how we verify breaches here.)

 When reached, Friend Finder Networks confirmed the site vulnerability, but would not outright confirm the breach.

“Over the past several weeks, FriendFinder has received a number of reports regarding potential security vulnerabilities from a variety of sources. Immediately upon learning this information, we took several steps to review the situation and bring in the right external partners to support our investigation,” said Diana Ballou, vice president and senior counsel, in an email on Friday.

“While a number of these claims proved to be false extortion attempts, we did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability,” she said.

“FriendFinder takes the security of its customer information seriously and will provide further updates as our investigation continues,” she added.

When pressed on details, Ballou declined to comment further.

But why Friend Finder Networks has held onto millions of accounts belonging to customers is a mystery, given that the site was sold to Penthouse Global Media in February.

“We are aware of the data hack and we are waiting on FriendFinder to give us a detailed account of the scope of the breach and their remedial actions in regard to our data,” said Kelly Holland, the site’s chief executive, in an email on Saturday.

Holland confirmed that the site “does not collect data regarding our members’ sexual preferences.”

LeakedSource said breaking with usual tradition because of the kind of breach, it will not make the data searchable.

The breach is also thoughtfuly covered by the always excellent Antlantic Monthly.  The Sydney Morning Herald in reporting on the hack recommended not providing actual personal information, mainly one off email addresses.  This effectively means that there is no confidence in the platform used.  In the case of dataing sites that might just be a credible argument but for most sites this is a burden that is not sustainable.  Proper regulation and enforcement should be part of the solution.  Giving users a real cause of action should also be available. Cyber security should work on the same principles as physical security.  It is a necesary part of every business.  The problem is that the consequences of failures which result in breaches are just inadequate.

Meanwhile Australia’s Big W has shut down its on line shopping site when it revealed personal information of shoppers to others using the site.  That information included customer names, phone numbers and addresses. It is reported by Itnews in Big W shutters online shopping after data leak which provides:

Checkout pages pre-populated with other customers’ data.

Retailer Big W’s website remains in browsing-only mode after a glitch meant shoppers were shown the personal information of other customers.

In a notice to customers, Big W said the “technical issue” occured on Thursday November 10 between 1.50pm and 3pm.

It meant “the first stage of the checkout process [was] pre-populated with the personal information of another customer”.

 The data leak included a customer’s name, phone and address. 

Big W took down the website at 3pm on Thursday, and it has remained in browse-only mode since.

The retailer said it expected the site to return to normal functionality over the coming few days due to a staged restoration.

It said no passwords, login details, bank accounts or credit card information was leaked, meaning there is no need for customers to contact their banks or change site account details or passwords. 

Big W did not reveal how many customers were affected by the privacy breach, saying that only a “small number of customers” were involved.

It said it had reported the incident to the Privacy Commissioner. 


One Response to “Big W has self inflicted data leak but nothing compared to the massive data breach at the Friend Finder Network.”

  1. Big W has self inflicted data leak but nothing compared to the massive data breach at the Friend Finder Network. | Australian Law Blogs

    […] Big W has self inflicted data leak but nothing compared to the massive data breach at the Friend Fin… […]

Leave a Reply