Account details belonging to hundreds of thousands of users of porn website xHamster are being traded on the digital underground.
That’s according to Vice’s Motherboard, who claimed it received a database of almost 380,000 users from for-profit breach notification site LeakBase which included usernames, email addresses and what looks like poorly-hashed passwords.
Despite xHamster being a free porn site, users do have the option to create their own collections, post comments and upload videos, but to do so they need to sign up with their credentials first.
Motherboard confirmed that the email addresses within the database appear to be legitimate and correspond to existing xHamster accounts. The publication selected 50 at random and tried to create new accounts on the site with them, but received a message for each stating the email address was already being used. What’s more, almost all of the related usernames seem to be taken too.
LeakBase told Motherboard the data was being traded at around the same time a hacker found a vulnerability in xHamster's website earlier this year. However, it is not currently known exactly how this database was obtained.
“Data leaks are becoming increasingly commonplace as the digital world advances and digital assets become more lucrative to sell on the dark web,” Claire Stead, online safety ambassador at Smoothwall, told Infosecurity. “Companies now have a wealth of data on their users, and a lot of damage can be done even with the simplest of information such as an email, name or password.”
Companies that collect data and deal in sensitive issues should ensure that they have the latest technologies in place to protect their users, otherwise they risk seriously harming their reputation and also put their users at risk outside of their organization, she added.
“Likewise, users should protect themselves by refreshing their passwords on a regular basis, ensuring they remain complex and impersonal.”