The personal details of millions who signed up to a sex hook-up website in the past 20 years have been exposed in one of the largest ever data breaches.
The email addresses and passwords of 412 million accounts have been leaked after the meet-up website Adult Friend Finder and sister sites were hacked. At least 5.2 million UK email addresses were stolen in the breach, which also included the date of last visit, browser information and purchasing patterns.
Adult Friend Finder describes itself as "one of the world's largest sex hook-up" websites, and has more than 40 million active users. The hack, against its parent company Friend Finder Networks, also involved data from Cams.com, a live video sex site, and Penthouse.com, an internet porn site that was sold in February.
The attack, discovered by hack monitoring site Leaked Source, occurred in October and is one of the biggest on record, following closely behind Yahoo, which recently reported the loss of half a billion users' details. It eclipses last year's Ashley Madison hack, in which the personal information and sexual preferences of 37 million people were exposed.
It is not clear who is behind the breach of Friend Finder Networks, a California-based company.
Weak and outdated website security allowed cyber criminals to access the Adult Friend Finder information, Leaked Source said. The passwords and usernames were stored in a way that is easily decoded, meaning 99 per cent of those stolen were legible to the hackers.
"Passwords were stored by Friend Finder Networks either in plan visible format or SHA1 hashed. Neither method is considered secure by any stretch of the imagination," said Leaked Source.
The stolen data included the details of 15 million accounts that had been deleted by the users but remained on the company's servers.
Friend Finder Networks, which lost the login details, date of birth and sexual preferences of almost 4 million users in 2015, would not confirm the breach, but said it had found vulnerabilities in its site, according to ZD Net.
"Over the past several weeks, Friend Finder has received a number of reports regarding potential security vulnerabilities," said Diana Ballou, the company's vice president.
"Immediately upon learning this information, we took several steps to review the situation and bring in the right external partners to support our investigation.
"While a number of these claims proved to be false extortion attempts, we did identify and fix a vulnerability."
Experts warned that companies need to do more to make sure their customers' personal details are kept safe.
"Companies still tend to underestimate the risks related to web applications, and consequently put their customers at huge risk," said Ilia Kolochenko, chief executive of High-Tech Bridge. "With this breach of 400 million accounts we should expect a domino effect of smaller data breaches with password reuse and spear-phishing."
Whose details were stolen?
Leaked Source has decided not to release the full database of people affected by the breach due to the sensitive nature of the information. But anyone who has signed up to one of the affected sites in the past 20 years, could be at risk, given that 15 million users who had deleted their accounts were affected.
Anyone who has used the following sites could have been affected:
• AdultFriendFinder.com - 3.4 million users affected
• Cams.com - 62.7 million users
• Penthouse.com - 7.12 million users
• Stripshow.com - 1.4 million users
• iCams.com - 1.14 million users
How to protect your information
If you think you may have had information stolen in the breach, you are advise to change your passwords immediately.
The data taken in the breach includes email addresses and usernames, which could be used in future spam and phishing attacks. While these can't be prevented, you should be extra-alert to suspicious emails if you have signed up to one of the Friend Finder Network sites.
Fake emails often contain tell-tale signs such as spelling mistakes and grammatical errors. If you're uncertain about the source of an email make sure you don't click on any links or provide the sender with any sensitive information. It is also advised that you don't call a phone number provided in a suspicious message.
To shore up your safety online, when you receive an email asking you to check your account manually type the company's website into your browser rather than clicking on a link, which could take you to a fake version of the site.