An adult live-streaming site's unprotected database has led to a massive data breach that has leaked sensitive information of billions of users. The pornographic website, CAM 4, which has "free live sex cams" on offer, exposed billions of records of personally identifiable user information, according to researchers at Security Detective. The 7TB database contained more than 10.88 billion records of sensitive user information, according to the team's lead researcher, Anurag Sen.
These records included names, emails, password hashes, country of origin, private chat transcripts, gender preferences, sexual orientation, payment logs and IP addresses used to view explicit content on the adult website. Users from US, Brazil, France and Italy have been the most affected by the data breach, the researchers pointed out.
The folks at Security Detective discovered that a misconfiguration of a production database on CAM4's end made it easy for anybody to access and view the information. "Leaving their production server publicly exposed without any password ... it's really dangerous to the users and to the company," said Sen.
Users can be targeted with sextortion emails and blackmail
Although the database was taken down immediately by the website's parent company Granity Entertainment, the logs date back to March 16, and while there's no evidence to suggest that CAM4 was hacked, or that the database was accessed by malicious actors, that doesn't necessarily mean it wasn't.
Cyber criminals could have already got their hands on the information, which they can later use to exploit users with phishing and sextortion scams. This is a highly sensitive issue for adult websites as most members prefer to maintain their anonymity.
In 2015, a data hack on Ashley Madison, an adult site that connected potential adulterers with each other, leaked the personal data of 37 million users. Later, attackers started targeting the users and their spouses and extort money by blackmailing them. Victims to this date are being targeted with blackmail and sextortion campaigns five years after the incident.
Data leaks do happen from time to time, but with information this sensitive, the onus is on companies to take every precaution to protect their users' privacy.