AdultFriendFinder 2016 data breach: Security improvements

Every major online dating service has been targeted by malicious hackers seeking access to confidential information, but few attacks have been as serious, widespread, or publicly damaging as the data breach attack on AdultFriendFinder in October 2016.

The attack exposed more than 360 million user records, and not just from AdultFriendFinder itself but sister sites throughout the popular FriendFinder network. To this day, it remains one of the largest data breaches ever recorded, leaking email addresses, usernames, passwords, genders, and languages ​​spoken by millions of people in the more than two decades of AFF history.

Worse, it unveiled new, tougher security practices, including using SHA-1 cryptographic hashing, which was more than a decade old at the time of the breach, and storing account passwords in plain text. It was an embarrassing moment for the company.

Thankfully, FriendFinder Networks has taken this breach seriously, and has dramatically increased its security procedures and policies. Here are three major changes they’ve made to help protect future users:

AFF has improved the security of their website

Think of a website database as a type of bank vault. This is where all the most important things are hidden. And thieves would love to get their hands on everything. In 2016, before the attack, AdultFriendFinder had the equivalent of a single-lock safe: it looked secure and intimidating, but malicious actors had long ago found a way to crack the code and get their hands on the loot.

Now, AFF uses the latest encryption technology to strengthen security, including a technique called “salted hashing” that involves combining each password with unique, random characters (known as a salt) and passing them through a one-way hash function. It’s a sophisticated way to ensure that even accounts that use the same passwords across different sites (I’m looking at you, the people who use your “password” password) are all vulnerable in the event of a breach.

AFF hired external security experts

The harsh reality is that companies cannot go it alone in the cybersecurity battle. The in-house security teams, smart and hard-working, just don’t stand a chance against an army of criminals and nefarious actors. These hackers are working 24/7 to access your important data and are always developing and finding new ways.

The 2016 data breach humbled AFF enough to realize this fact, and they have been contracting for cybersecurity assistance ever since, including help from Google-owned Mandiant. These cybersecurity companies don’t just check for potential vulnerabilities in your coding – they also look at business structure and personnel processes to check for potential vulnerabilities.

Forced password reset

Not all cybersecurity risks are the fault (or exclusive fault) of the website. Sometimes, users’ laziness can be a big risk – in other words, using the same passwords year after year and thinking it’s OK. AFF’s security enhancements include forced password resets, so you can’t use the same password every time.

This is now standard operating procedure across the Internet: Once every six months or once a year, you will be asked to choose a new password. AFF has legalized this approach to help protect against password vulnerabilities it cannot control, such as leaks from other dating sites. (Honest: How many of you use the same password on multiple sites? It doesn’t take much for a hacker to port a leaked password from one site to a bunch of other sites). This also protects against malware such as keyloggers.

Later this year, it will have been a decade since the last AdultFriendFinder security breach. Say what you will about their past mistakes – a full decade of cyber security success is an achievement, and modern users of the site should be grateful that AFF has stepped up their game in such a big way.