11 billion adult site records exposed | information age

The personal information of users of an adult webcam site, including their emails and sexual orientation, was taken in a breach that potentially exposed 7 terabytes of information.

CAM4 is a popular streaming platform offering “free live sex cams”.

Security review site SafetyDetectives revealed this week that it discovered an online company database without password protection containing 10.88 billion user records, including their names, payment logs, chat records, country of origin, signup dates, device information, hashed passwords, and email transcripts.

More than 270,000 of these records relate to user logs from Australia.

The server was intended for internal use at CAM4 only, but a misconfiguration meant it was left online unprotected – for anyone to find.

That doesn’t necessarily mean bad actors accessed the data, with SafetyDetectives saying the vulnerability was patched quickly after the company was made aware of it.

SafetyDetectives searched the Shodan Engine for insecure databases and found the production CAM4 ElasticSearch database containing personally identifiable information.

“Leaving their production server exposed publicly without any passwords is really dangerous for users and for the business,” said Anurag Sen, researcher at SafetyDetectives.

Misconfiguration is common and can leave highly sensitive information exposed to anyone on the Internet who finds it, said security consultant Bob Diachenko. Wired.

“It’s a very common experience for me to see many ElasticSearch instances exposed,” Diachenko said. “The only surprise that came out of it was the data that’s exposed this time.”

The 7 terabytes of data consist of 10.88 billion CAM4 user records.

Of these, 11 million records contained email addresses, while a further 26 million had password hashes.

A few hundred records contained full names, credit card types, and payment amounts.

It is estimated that around 6.6 million users were caught in the leak. The majority of records are for people in the United States, while 5.4 million were from Brazil, 4.9 million from Italy and 4.2 million from France.

The server was taken offline by CAM4’s parent company, Granity Entertainment, within half an hour of being notified, SafetyDetectives said.

Sensitive data could easily be used for identity theft, phishing scams, website attacks or blackmail, the researchers said.

“Users’ emails could be targeted with data leaks and then maliciously used to trigger clicks with phishing and malware scams deployed against unsuspecting targets,” they said.

“The fact that a large amount of email content comes from popular domains such as Gmail, Hotmail and iCloud – domains that offer additional services such as cloud storage and business tools – means that compromised CAM4 users could potentially see huge volumes of personal data, including photographs, videos, and related business information leaked to hackers, assuming their accounts were eventually hacked through phishing, for example.

“This information could then be weaponized to compromise other individuals and groups such as family members, colleagues, employees and customers of other companies.”

The infamous data breach at Ashley Madison in 2015 was later linked to extortion, exploitation and lawsuits, with data leaked on the adult site’s 36 million users.

This week also saw a major data breach at the world’s largest web domain registry. A malicious actor obtained the login credentials for the hosting accounts of 28,000 GoDaddy customers, as the hackers broke into some of the company’s servers and accessed secure shell logins.

Last year, more than 770 million email addresses and usernames and 20 million passwords were discovered on a cloud service during a major breach. The 87GB collection appeared to be a compilation of data leaked in previous breaches and raised concerns about credential stuffing attacks.