Researchers
at VPNMentor were able to access almost more than one million user accounts associated
with the pornographic website Luscious.
VPNMentor’s Noam Rotem and Ran Locar found 1.195 million records associated with the one million registered site users containing a variety of information that could be ruinous to the individuals if released. The nature of the breach itself was not disclosed.
The site allows its members to upload user-created animated content and then comment and discuss the content anonymously behind a username.
The breach compromises this anonymity by potentially allowing hackers to access the personal details of users, including their personal email address, usernames, user
activity logs (date joined, most recent log in), country of residence/location
and gender. Additionally, some email addresses contained the member’s full name
expanding their exposure.
It is believed
that about 20 percent of the email addresses that were supplied to Luscious are
fake thus protecting those users from some harm.
“The highly
sensitive and private nature of Luscious’ content makes users incredibly
vulnerable to a range of attacks and exploitation by malicious hackers,” Rotem
and Lotar wrote.
The PII exposed
was just part of what the team uncovered. Also associated with each account are
the number of image albums they had created, video uploads, comments, blog
posts, favorites, followers and accounts followed and their user ID number.
The records
exposed came from people located around the world with particular concentrations
located in France, Germany and Russia. It was also noted that many users joined
the site using government and company- issued email addresses thus exposing
those organizations, as well.
“Activity on
adult sites like Luscious is the most private in nature, and nobody ever
expects it to be revealed. Its exposure could be ruinous for a victim’s
relationships and personal lives. The information made available in Luscious’
databases gives criminal and malicious hackers many options to use this data
for illicit gains and exploiting users,” the researchers said.
This
exposure could lead to extortion, doxing and phishing schemes being launched
against the account holders.
VPNMentor
reported the issue to Luscious on August 15 and the situation was rectified by
August 19. However, it is recommended that all Luscious account holders immediately
change their login credentials as a safety measure.
