Those types of vulnerabilities allow an attacker to supply input to a web application, which in the worst scenario can allow code to run on the web server, according to a OWASP, The Open Web Application Security Project.
The person who found that flaw has gone by the nicknames 1x0123 and Revolver on Twitter, which has suspended the accounts.
But the leaked data could encompass many more sites, as Friend Finder Networks runs as many as 40,000 websites, a Leaked Source representative says over instant messaging.
One large sample of data provided by Leaked Source at first seemed to not contain current registered users of Adult Friend Finder.
Troy Hunt, an Australian data breach expert who runs the Have I Been Pwned data breach notification site, says that at first glance some of the data appears legitimate, but it's still early to make a call. "I'd need to see a complete data set to make an emphatic call on it." If the data is accurate, it would mark one of the largest data breaches of the year behind Yahoo, which in October blamed state-sponsored hackers for compromising at least 500 million accounts in late 2014 (see Massive Yahoo Data Breach Shatters Records).
It also would be the second one to affect Friend Finder Networks in as many years.
The hack also revealed that the company had kept information on 15 million accounts that users had deleted, as well as information on users for assets it no longer owned, such as Penthouse.
The latest Friend Finder Networks' breach would only be rivaled in sensitivity by the breach of Avid Life Media's Ashley Madison extramarital dating site, which exposed 36 million accounts, including customers names, hashed passwords and partial credit card numbers (see Ashley Madison Slammed by Regulators).The first clue that Friend Finder Networks might have another problem came in mid-October.CSOonline reported that someone had posted screenshots on Twitter showing a local file inclusion vulnerability in Adult Friend Finder.The sites breached would appear to include Adult Friend Finder.com, i Cams.com, Cams.com, and Stripshow.com, the last of which redirects to the definitely not-safe-for-work playwithme[.]com, run by Friend Finder subsidiary Steamray.Leaked Source provided samples of data to journalists where those sites were mentioned.Adult dating service company Friend Finder Network has reportedly been hacked, with over 412 million accounts, email addresses, and passwords from their websites made available on criminal marketplaces.Notably, the database does not include more detailed personal information, but could still be used to confirm whether a person was a user of the service.It also has a slight benefit, as Leaked Source writes that "the credentials will be slightly less useful for malicious hackers to abuse in the real world." For a subscription fee, Leaked Source allows its customers to search through data sets it has collected. "We don't want to comment directly about it, but we weren't able to reach a final decision yet on the subject matter," the Leaked Source representative says.In May, Leaked Source removed 117 million emails and passwords of Linked In users after receiving a cease-and-desist order from the company.A group that collects stolen data claims to have obtained 412 million accounts belonging to Friend Finder Networks, the California-based company that runs thousands of adult-themed sites in what it described as a "thriving sex community." See Also: Webinar | Beyond Managed Security Services: SOC-as-a-Service for Financial Institutions Leaked Source.com, a service that obtains data leaks through shady underground circles, believes the data is legitimate.Friend Finder Networks, stung last year when its Adult Friend Finder website was breached, could not be immediately reached for reaction (see Dating Website Breach Spills Secrets).