AdultFriendFinder was hacked

The first estimate I see of worldwide Dutch speakers is ~23 million[0]. There's over 5 million Dutch speakers (Flemish) in Belgium alone.

So you're looking at somewhere between 15-20% of Dutch speakers have accounts, which seems more reasonable, particularly if some people have more than one account (very likely, I'm guessing).

0. http://www.ucl.ac.uk/atlas/dutch/who.html

Simple. Most accounts are fake. The thing with AFF is that it's paying top dollars in affiliate programs. So everyone and their dog are building a fake profile to lure some naive guys into buying a subscription.

Probably 90% bots and throwaway accounts.

You need to double that, unless you exclude females. Why do you stop at 55?

"15-24 years: 12.11% (male 1,050,889/female 1,010,596) 25-54 years: 39.83% (male 3,400,998/female 3,377,311)"

When I moved to NL I was surprised to hear swinger/secret affair advertisements on the radio. I think a higher-than-average percentage of the Dutch population uses those sites compared to the US

Spammers?

Belgians?

I tried adult friend finder many years ago. It was nothing but Nigerian scammers. I doubt the majority of the profiles are real.

Local File Inclusion is when you have PHP code like

  include("some/path/" . $_GET['some_url_parameter']);

Adding &some_url_parametr=../../../etc/passwd (or ../../../var/uploads/evil_script.txt) allows you to insert arbitrary text file from the server into the generated HTML or execute arbitrary PHP code (which in turn can even run arbitrary shell commands if this is enabled on the server).

Since PHP has such feature, people use it and to this day you'll occasionally run into a website which employs this pattern. Common use case is

  bad-example.com/article.php?id=article_name.txt

where article.php contains headers, footers, formatting, etc and actual articles are stored in text files.

IMO, if you're checking the URL for directory traversal it's already too late. Whenever I build a server that serves files, I maintain a whitelist set of served files, and the first thing I do in the file request handler is check if the URL is in the set. If not, immediately drop to 404. There's too much that can go wrong with trying to sanitize inputs; it's better to rule out the possibility of unsanitized data by design. There's more than one approach to this, and none of them admit directory traversal.

That's one possibility. Another common flaw is upload/download features, where you can get directory traversal (../) in the upload or download file name that you are specifying.

When you've got file read, procfs is very nice :)

That's it exactly. For example, Upload a jpg that is actually code and then call that jpg through the exploit.

lolphp

I feel this is a defeatist stance to take; LFI's are a solved problem and we should be looking to how and why this happened and prevent it in the future.

Another angle: we're supposed to not do anything that requires any form of confidentiality online? can't book a doctors appointment, transfer money, send emails to family?

Read Quinn Norton's "Hello Future Pastebin Readers!"

https://medium.com/message/hello-future-pastebin-readers-39d...

Norton's law: Over time, all data approaches deleted, or public.

No. This is a stance of totalitarian regimes. I doubt the people that joined this site should be shamed for their choices.

No, get people to make safe and proper websites.

The internet is becoming too important to our lives, we can't just say "presume everything is public"

Your advice means that someone should refuse to visit a doctor or hospital which uses computers, since "I have to act like everything online could be public!". That's just unworkable.

As a pakistani, that cracked me up. We are at the top of the list of porn searching countries, I think ( http://tribune.com.pk/story/823696/pakistan-tops-list-of-mos... ) and porn sites often have AdultFriendFinder ads, so it is possible that a pretty large number of pakistani people signed up. (Assuming there's a free sign up)

Some bot's default?

Because they hate India

If you're being proactive about it, one approach is to create "canary" accounts: single purpose email addresses that signup for your service and nothing else. When those email addresses start getting spam, it's a strong indicator your database has been accessed.

Many users signup for each online service with a single-purpose email address. e.g. <servicename>@uniquedomain.com, so many customers will often know of a leak as soon as the service provider does.

At the last company I worked for, we discovered an intrusion when we started getting a ridiculous number of credit card fraud complaints. It should be noted that we sold scientific instrumentation to other small companies and rural markets so it was pretty easy for them to figure where their info got stolen from when they only used their cards for infrequent transactions.

I'm shocked that developers of such sensitive website would do this. Were the owners cheap and hired some offshore team for pennies?

It definitely shows how terrible people are at password generation and reuse but even more so how little it matters on individual sites if those folks have no understanding or don't care about protecting passwords. Yet people keep using 123456 as a password.

Major props to Anthony https://github.com/ircmaxell for adding this as a language supported feature to PHP as well for his work on techniques for preventing injection.

I work with C#, Java, Python Go and JS on backends a lot and no other language I worked with had such a simple but secure API.

v5.5 actually, but there is a userland library to provide the same functionality - https://github.com/ircmaxell/password_compat

well on java it's at least:

    PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt.getBytes(StandardCharsets.UTF_8), iterations, digestSize)
    SecretKeyFactory skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256")
    byte[] hash = skf.generateSecret(spec).getEncoded()

ant then using MessageDigest.isEqual (on newer jvm, older ones had a bug up to 6 45 or so) to compare the passwords.

well the biggest problem is probably generating a truly random salt with SecureRandom, which will slow down your program if used incorrect.

It would probably be difficult to prove with certainty, but depending on what the passwords are, you could potentially be able to do something like that. For example, if there are enough accounts that have the same password (which is also relatively unique), then at some point it will be a statistical impossibility that they were all created by different people.

I'm guessing they got an exclusive on that one. Want to ramp up the PR machine before delivering the goods. They'll drop it when everyone's excited enough. I doubt they care about privacy, the whole point of their service is/was not caring about it (as opposed to haveibeenpwned).

Could just be a reference to the Drake album