Adult Websites Hack Uncovers Government Users, Highlights 'Lazy Password-Makers'

A large-scale breach revealed .gov and .mil credentials used to log into AdultFriendFinder.com and the Penthouse.com family of websites.

by / November 14, 2016

It has happened again. Some 412 million emails and passwords have been stolen from a family of adult websites geared toward hooking up and peeping porn.

Much like the Ashley Madison breach in August of 2015, the penetration into the reportedly soft security underbelly of AdultFriendFinder.com and the Penthouse.com family of websites has revealed a wealth of credential information and a sizeable constituency of accounts created using .gov and .mil email addresses.

Other websites compromised in the attack are Cams.com, Stripshow.com, iCams.com and an unknown domain.

Of the more than 400 million accounts exposed in the hack, some 5,650 accounts were founded using .gov email credentials and 78,301 were created with .mil email credentials. As was discovered in August of 2015, more than 15,000 government and military email addresses were exposed.

Perhaps more than anything else, security experts cite the dangers posed by the exposure of redundant passwords that could offer access to restricted systems and applications. 

Those reusable passwords, says Bruce Schneier, chief technology officer of IBM’s Resilient Systems and fellow at Harvard's Berkman Center, are the real low-hanging fruit for malicious actors in situations like this.

“I don't think there's any more risk other than personal embarrassment," he told Government Technology via email, "and the standard risk of reusing passwords."

While Dan Lohrmann*, chief security officer with Security Mentor Inc. agrees that passwords pose the greatest risk, he also sees other potential areas for concern.

Though many of the popular passwords listed on LeakedSource.com are not what you might consider safe for work, many others highlight just how lazy password-makers are these days. 

The top five passwords exposed in the breach were:

  • 123456 (900,420 uses);
  • 12345 (635,995 uses);
  • 123456789 (585,150 uses);
  • 12345678 (145,867 uses); and
  • 1234567890 (133,414 uses).

"Password," "qwerty" and "qwertyuiop" also made an appearance in the top 10 list of most used passwords by site patrons.

In addition, Lohrmann said the breach opens the door for other dangers like phishing schemes, ransomware attacks and social engineering efforts — not to mention the potential for good old-fashioned run-of-the-mill blackmail. Schneier, however, said he is not convinced these scenarios pose a significant risk.

Though LeakedSource said it would not be publishing a searchable version of the compromised information, anecdotal data was made available. 

*Dan Lohrmann is a regular security contributor to Government Technology.

Eyragon Eidam Web Editor

Eyragon Eidam is the Web editor for Government Technology magazine, after previously serving as  assistant news editor and covering such topics as legislation, social media and public safety. He can be reached at eeidam@erepublic.com.