So here we are, another week and another brace of humongous breaches.
The first, appearing in these pages for the third time, is AdultFriendFinder.com, a site dedicated to enabling you to: “Hookup, Find Sex or Meet Someone Hot Now”.
Yes, once again user details from AdultFriendFinder have been breached and published. 412 million of them of which 5,650 are .gov addresses and 78,301 .mil addresses with all of the associated blackmail opportunities that this offers.
Just in case you were breathing a sigh of relief, the breach also compromised associated sites: Cams.com, iCams.com, Stripshow.com and Penthouse.com. Still in the clear? Very good.
Somewhat unbelievably, especially since AdultFriendFinder suffered a similar breach in 2015, many of the passwords were stored in the database in Plain text (REALLY?) and those that were encrypted used SHA1 without salting and have already been cracked. You will be mostly unsurprised by the list of common passwords:
Rank Password Frequency
1 123456 900,420
2 12345 635,995
3 123456789 585,150
4 12345678 145,867
5 1234567890 133,414
6 1234567 112,956
7 password 101,046
8 qwerty 86,050
9 qwertyuiop 43,755
10 987654321 40,627
This raises two obvious questions here at ITC Towers. The first, ‘why are these passwords so rubbish?’, the second, especially for regular, eagle eyed readers of this blog, ‘what happened to all the cat enthusiasts?’.
Whilst we don’t know what happened to the kitten posse, we have a theory about these rubbish passwords. The fact that many people are rubbish with passwords is a given, but we have a sneaking feeling that outfits like AdultFriendFinder, might not be as scrupulous as, say CoOperative Funeral services, and might, just might, especially in their early years pay some offshore outfits to register a truckload of leggy blondes gagging to meet retired police officers and judges for a ‘good time’. Using an obvious password would enable these fake accounts to be updated with real-life facts and tempting pictures….perhaps we are too cynical.
If you struggle to remember passwords, especially if you are a public servant and partial to registering on sites like this, you really need to make sure that you use different passwords on different websites to make sure that breaches of one of these high quality establishments doesn’t wreak havoc with your life. We recommend the use of a password management tool. There are loads out there.
In a further illustration of the blatant state of security amongst some providers, you may have read that Three UK (the mobile comms outfit) was breached earlier this week with up to ‘6 million users credentials being at risk’ according to The Telegraph.
Well The Old Bill have made three arrests in connection with the breach. Have they nicked Moriarty, Lord Lucan or Ernest Stavro Blofeld? No. They have arrested three gentlemen from Kent and Manchester who having pulled off the major data heist, presumably with extreme cunning and guile, then rifled through the data, identified a monster EIGHT customers eligible for an upgrade and ordered upgraded phone hardware in order to keep it and resell it.
The speed with which these collars were felt indicates that perhaps these chaps sent the fraudulently obtained iPhones to their home addresses. Did they buy the data online from l33t hax0r5 or did one of them run a script or something even easier against a public facing Three server? Time will tell. Place your bets.
If you would like to discuss these monster data breaches and how to avoid them. Please contact us at: [email protected] or 020 7517 3900.