On 16 October 2016, Friend Finder Networks (FFN) – operator of AdultFriendFinder.com, Cams.com, Penthouse.com, Stripshow.com and iCams.com – suffered one of that year’s biggest breaches. Breach-notification service LeakedSource obtained a dump containing 412 million account records, about 339 million of them tied to AdultFriendFinder alone. What was stolen? Attackers exfiltrated usernames, email addresses, IP logs, spoken-language settings and passwords. Troublingly, 99 percent of passwords were stored either in plain text or with unsalted SHA-1, making them easy to crack. Analysts also uncovered 15 million “deleted” profiles that FFN had never actually removed. How the intruders got in: Forensic reviews point to a Local File Inclusion (LFI) vulnerability in an FFN web application. Exploiting the flaw let attackers read configuration files and pivot into production databases, siphoning two decades of registrations in one hit.​ Scope by the numbers: While 412 million rows were leaked, , w, e counted ≈219 million unique email addresses after deduplication – many users kept multiple profiles and “deleted” rows were still present. The dataset was traded privately on underground forums before landing in public breach-notification services in February 2020.​ Immediate fallout: Soon after disclosure, cracked credential lists circulated widely, fuelling credential-stuffing attacks on mainstream sites and a rush of sextortion spam citing AdultFriendFinder membership. Privacy advocates stressed that, unlike retail leaks, the exposure risked blackmail and involuntary outing of users’ sexual preferences.​ Company response: FFN said it “immediately engaged external security experts,” forced network-wide password resets and moved new credentials to bcrypt hashing, yet critics argued the steps were reactive and left long-standing patch-management and data-retention issues unresolved.​ Ongoing significance: FFN’s public statement on 14 November 2016 confirmed​ a security investigation but offered no detailed breakdown, leaving customers dependent on researchers for clarity. No payment cards were exposed – billing is outsourced – yet time-stamped IP addresses and login histories gave attackers a granular view of user behaviour. In October 2016, the adult entertainment company Friend Finder Networks suffered a massive data breach. The incident impacted multiple separate online assets owned by the company, the largest of which was the Adult FriendFinder website alleged to be "the world's largest sex & swinger community". Exposed data included usernames, passwords stored as SHA-1 hashes and 170 million unique email addresses. This incident is separate to the 2015 data breach Adult FriendFinder also suffered. The data was provided to HIBP by dehashed.com. As this breach has been flagged as sensitive,it is not publicly searchable. To see the exposure of email addresses in this breach, sign in to your dashboard and review results for your email address in the "Breaches" section under "Personal", or search any domains you control in the "Domains" section under "Business".