Adult website Adult FriendFinder may have been compromised by a hacker who said he has gained access to the site’s backend servers and posted allegedly compromised data to his Twitter feed. The breach has not been confirmed by the site’s parent company FriendFinder Networks, which says it is looking into reports of the breach.
“We are aware of reports of a security incident, and we are currently investigating to determine the validity of the reports. If we confirm that a security incident did occur, we will work to address any issues and notify any customers that may be affected,” the company said in a written statement.
The compromise was publicly disclosed on the Twitter feed of the hacker, who goes by the handles Revolver and 1×0123. The self-described “underground researcher” claims to have gained access to Adult FriendFinder’s servers via a local file inclusion (LFI) vulnerability. Those claims have not been verified, however screen shots claiming to show access to several Adult FriendFinder servers have been posted to 1×0123’s Twitter feed.
A local file inclusion vulnerability can allow a hacker to add local files to web servers via script and execute PHP code. Hackers can take advantage of a LFI vulnerability when sites allow user-supplied input without proper validation, something Adult FriendFinder is guilty of, according to 1×0123.
Adult FriendFinder is an adult themed website with more than 60 million registered users, according to the company. According to Ezra Shashoua, chief financial officer of FriendFinder Networks, the company was made aware of the possible vulnerability on Tuesday. “We are investigating this claim right now,” Shashoua said. He added, following the completion of the investigation FriendFinder Networks will release a follow-up statement.
Images posted to 1×0123’s Twitter feed show 99 Adult FriendFinder database names, internal IP addresses, and a single password used to access multiple servers. The vulnerability, according to reports by Motherboard, have been confirmed by security researchers at Phobos Group.
Phobos Group did not return requests for an interview, however the company’s founder Dan Tentler told Motherboard that the LFI vulnerability potentially exposed employee names, their home IP addresses, and even Virtual Private Network keys to access Adult FriendFinder’s servers remotely. Tentler said that an intrusion of this nature could lead to a “complete end-to-end compromise” of Adult FriendFinder.
If validated, this will not be the first time a FriendFinder Networks site has been hacked. In 2015, more than 3.5 million Adult FriendFinder customers had intimate details of their profiles exposed. At the time, hackers put user records up for sale on the Dark Web for 70 Bitcoin, or $16,000 at the time.
In 2012, the website MilitarySingles.com fell victim to a similar local file inclusion vulnerability. The social network said, at the time, the vulnerability was tied to user generated content uploaded to the site.
“Allowing the upload of user-generated content to the Web site can be extremely dangerous as the server which is usually considered by other users and the application itself as ‘trusted’ now hosts content that can be generated by a malicious source,” the company said in a statement at the time of the intrusion.