AdultFriendFinder 2016 data breach: Security improvements

Every major online dating service has been the target of malicious hackers attempting to gain access to private information, but few attacks have been as severe, as pervasive or as publicly damaging as the data breach attack on AdultFriendFinder in October 2016.

The attack exposed the records of more than 360 million users, not just of AdultFriendFinder but of sites across the popular FriendFinder network. To this day, it is still one of the largest database breaches ever recorded, leaking the email addresses, usernames, passwords, sexual orientations, and even spoken languages of millions of people across more than two decades of AFF’s history.

Worse still, it exposed the downright shoddy security practices of the company, which included using SHA-1 cryptographic hashing, already more than a decade out of date by the time of the breach, and storing account passwords in plain text. 

Thankfully, parent company FriendFinder Networks took this breach seriously, and dramatically stepped up their security practices. Here are three major changes they made to help protect future users:

AFF overhauled their database security

Think of a website’s database as a kind of bank vault; it’s where all the valuable stuff that thieves are after is stored. In 2016, prior to the attack, AdultFriendFinder had the equivalent of a single-lock safe: it looked secure and intimidating, but malicious actors had long ago figured out how to crack the code. 

Now, they use the latest encryption technologies to bolster security, including a technique called “salted hashing” that involves combining each password with a unique, random string of characters (known as the salt) and then passing them through a one-way hash function. It’s a sophisticated way of ensuring that even accounts using identical passwords (looking at you, people who use “password” for your password) don’t all share the same vulnerability during a breach.

AFF hired outside security experts

The ugly truth is that companies are no longer self-sufficient when it comes to cybersecurity. Your in-house security team, as smart and hardworking as they may be, are not going to stand a chance against the wide variety of hackers and other malicious actors working 24/7 to access your data. 

The 2016 data breach humbled AFF enough to recognize this fact, and they’ve been contracting outside cybersecurity help ever since, including with Google subsidiary Mandiant. These cybersecurity firms don’t just examine the potential vulnerabilities in your coding; they also look at your corporate structure and employee practices to evaluate them for potential vulnerabilities. 

Forced password resets

Not all cybersecurity vulnerabilities are the fault (or exclusive fault) of the website. Sometimes, your own laziness is your biggest vulnerability. Part of beefing up AFF’s security involved forcing password resets, so you can’t use the same password year after year. 

This is now basically standard operating procedure across the internet: once every six months or once a year, you’re probably going to be asked to choose a new password. AFF has formalized this approach to help secure against password vulnerabilities that it can’t control, such as leaks on other dating sites (be honest: how many of you use the same password across multiple sites?) or hardware malware like keyloggers. 

Later this year, exactly one decade will have elapsed since AdultFriendFinder’s last security breach. Say what you will about their past mistakes — a full decade of cybersecurity success is an achievement, and modern users of the site should be grateful that AFF has stepped up their game in such a big way.