The personal information of users of an adult webcam site, including their emails and sexual orientation, has been the victim of a breach that potentially exposed 7 terabytes of information.
CAM4 is a popular streaming platform offering “free live sex cams”.
Safety review site SafetyDetectives unveiled this week he had discovered an online company database without password protection containing 10.88 billion user records, including their names, payment logs, chat records, country of origin, dates registration, device information, hashed passwords and email transcripts.
Over 270,000 of these records relate to Australian user logs.
The server was intended for internal CAM4 use only, but a misconfiguration meant it had been left online unprotected – within everyone’s reach.
This does not necessarily mean that malicious actors gained access to the data, with SafetyDetectives claiming the vulnerability was fixed quickly after the company was notified.
SafetyDetectives searched the Shodan engine for unsecured databases and found the CAM4 ElasticSearch production database containing the personally identifiable information.
“Leaving their production server exposed publicly without any password is really dangerous for users and for the business,” said Anurag Sen, researcher at SafetyDetectives.
Configuration error is a common mistake that can leave very sensitive information exposed to anyone on the Internet who finds it, said security consultant Bob Diachenko. Wired.
“It’s a very common experience for me to see a lot of Elasticsearch instances exposed,” Diachenko said. “The only surprise that came out was the data that is on display this time.”
The 7 terabytes of data are made up of 10.88 billion CAM4 user records.
Of these, 11 million records contained email addresses, while 26 million contained password hashes.
A few hundred records included full names, credit card types, and payment amounts.
It is estimated that around 6.6 million users were caught in the leak. The majority of the registrations are for people in the United States, while 5.4 million are from Brazil, 4.9 million from Italy and 4.2 million from France.
The server was taken offline by CAM4’s parent company, Granity Entertainment, within half an hour of their notification, SafetyDetectives said.
Sensitive data could easily be used for identity theft, phishing scams, website attacks or blackmail, the researchers said.
“User emails could be targeted with data leaks and then used maliciously to trigger clicks with phishing scams and malware deployed against unsuspecting targets,” they said.
“The fact that much of the email content comes from popular domains like Gmail, Hotmail, and iCloud – domains that offer additional services like cloud storage and business tools – means compromised CAM4 users could potentially see huge volumes of personal data, including photographs. , videos and related business information were leaked to hackers, assuming their accounts were ultimately hacked by phishing, for example.
“This information could then be militarized to compromise other individuals and groups such as family members, co-workers, employees and customers of other companies.”
Ashley Madison’s infamous 2015 data breach was then linked to extortion, exploitation and lawsuits, with the data of the 36 million adult site users leaked.
This week also saw a major data breach at the world’s largest web domain registry. A malicious actor obtained login credentials for the hosting accounts of 28,000 GoDaddy customers, after the hackers entered some of the company’s servers and gained access to secure shell connections.
Last year, more than 770 million email addresses and usernames and 20 million passwords were discovered on a cloud service during a major breach. The 87 GB collection appeared to be a compilation of data leaked in previous breaches and raised concerns about credential stuffing attacks.