FriendFinder Networks breach

On 13 November 2016, security researchers revealed that FriendFinder Networks (FFN) — operator of AdultFriendFinder, Cams.com, Penthouse.com, and related adult and dating sites — had been breached, exposing 412 million accounts. It ranked as the largest disclosed breach of 2016 and one of the most sensitive ever, given the explicitly adult nature of the services involved.

What happened

The intrusion stemmed from a local file inclusion (LFI) vulnerability, a flaw that lets an attacker cause a web server to execute or expose files it should not. A researcher operating under the handle "Revolver" had publicized the vulnerability in October 2016; attackers used it to reach FFN's databases and exfiltrate the contents of six databases spanning the company's networks, including current and historical user records.

The data-handling practices behind those databases compounded the damage. According to analysis of the dump, passwords were stored either in plain text or as unsalted SHA-1 hashes, with the SHA-1 values computed over lowercased passwords. Researchers reported that roughly 99 percent of all passwords in the dataset were ultimately crackable. The breach also revealed that around 15 million accounts users had "deleted" were never actually purged and remained in FFN's systems.

Impact

412,214,295 accounts were exposed across FFN's properties, with roughly 339 million tied to AdultFriendFinder alone — the single largest site in the haul.
Exposed fields included usernames, email addresses, passwords (plain text or weak SHA-1), IP addresses, and site-membership details that could reveal participation in adult services.
Of the AdultFriendFinder passwords, more than 103 million were stored in plain text and roughly 232 million as unsalted SHA-1.
The presence of supposedly deleted accounts meant former users who believed they had erased their data were still exposed — a particular concern for a platform whose mere association carried reputational and blackmail risk.
This was FriendFinder Networks' second major breach in just over a year, following a 2015 incident that exposed several million AdultFriendFinder accounts.

Why it matters

The FriendFinder breach is the canonical example of sensitive-data exposure compounded by negligent storage. Plain-text passwords and unsalted SHA-1 in 2016 — years after both LinkedIn and MySpace had demonstrated the consequences — reflected a fundamental failure to adopt basic password-hashing standards. The retention of "deleted" accounts violated a core user expectation and highlighted the gap between deletion as a UI action and actual data erasure.

Because the affected sites dealt in intimate and adult content, the breach carried outsized extortion and reputational risk for victims, beyond the credential-stuffing danger common to all leaks. It remains a reference case for why platforms handling sensitive personal data must combine modern cryptographic storage, prompt patching of web-application flaws, and genuine data-deletion practices — and for the heightened harm when any of those fail.

Timeline

October 1, 2016

A researcher known as Revolver publicizes a local file inclusion vulnerability affecting FriendFinder Networks' servers.

October 18, 2016

Reports indicate attacker access to FriendFinder Networks systems via the LFI flaw.

November 13, 2016

LeakedSource and security researchers reveal that 412 million accounts across six FriendFinder Networks databases have been compromised.

November 14, 2016

Analysis confirms passwords were stored in plain text or as unsalted SHA-1, and that ~15 million 'deleted' accounts were still present in the data.

Sources

techcrunch.comhttps://techcrunch.com/2016/11/13/friendfinder-hack-412-million-accounts-breached

csoonline.comhttps://www.csoonline.com/article/558775/412-million-friendfinder-accounts-exposed-by-hackers.html

computerweekly.comhttps://www.computerweekly.com/news/450402859/412-million-user-accounts-exposed-in-FriendFinder-Networks-hack

computerworld.comhttps://www.computerworld.com/article/1675554/biggest-hack-of-2016-412-million-friendfinder-network-accounts-exposed.html

Related incidents

Vulnerability exploitContainedJune 8, 2026

Meta Instagram 'High Touch Support' account-takeover breach (2026)

Attackers abused a verification flaw in Meta's AI-assisted Instagram account-recovery tool, High Touch Support, to trigger password resets and hijack 20,225 accounts before Meta detected and disabled the tool.

Victim: Meta Platforms (Instagram)

Vulnerability exploitOngoingJune 10, 2026

Max-severity Ivanti Sentry flaw exploited for root code execution (CVE-2026-10520)

Ivanti patched a maximum-severity unauthenticated command-injection flaw in its Sentry mobile gateway that gives attackers root-level remote code execution, and within days real-world exploitation followed a public proof-of-concept, prompting CISA to add it to its Known Exploited Vulnerabilities catalog.

Victim: Ivanti Sentry

Vulnerability exploitContainedJune 9, 2026

ServiceNow discloses unauthenticated API flaw that let attackers query customer instance data

ServiceNow disclosed that a misconfigured, unauthenticated REST API endpoint allowed actors to query data from hosted customer instances, an issue the company patched on 5 June but did not publish a (login-gated) advisory for until days later.

Victim: ServiceNow

Vulnerability exploitResolvedFebruary 23, 2017

Cloudflare "Cloudbleed" memory leak

A buffer-overflow bug in Cloudflare's edge servers caused them to leak adjacent chunks of memory — including passwords, cookies, and private messages from other customers — into web pages, where some were cached by search engines. The flaw was active for months before Google's Project Zero discovered it.

Victim: Cloudflare, Inc.