A misconfigured cloud database has leaked records on tens of millions of users of an adult streaming site, putting them at risk of blackmail and identity theft, according to researchers.
CAM4 is a live streaming website for explicit content, with visitors paying to watch signed-up amateur performers film themselves online.
Safety Detectives researchers led by Anurag Sen found an unsecured Elasticsearch database containing over 7TB of personal data and production logs dating from March 16 2020. Although CAM4 appears to be owned by Irish company Granity Entertainment, the server was hosted in the Netherlands by Mojohost.
It was found to be leaking almost 11 billion records, including 11 million containing emails and 26.3 million containing password hashes. Millions contained first and last names, country of origin, sexual orientation, usernames, chat and email transcripts from the site, IP addresses, and inter-user conversations.
In addition, a few hundred are said to have revealed full names, credit card types and payment amounts.
It’s not clear whether the data belongs to content producers or viewers, or both. However, the data exposed in the privacy incident could have been highly lucrative for cyber-criminals, enabling follow-on phishing, identity fraud, and – perhaps most damaging – blackmail.
Hackers could also use the exposed Apple, Google and other emails to target cloud storage and other adjacent consumer services to harvest yet more personal information, Security Detectives warned.
“The availability of fraud detection logs enables hackers to better understand how cybersecurity systems have been set up and could be used as an ideal verification tool for malicious hackers, as well as, enabling a greater level of server penetration,” it continued.
“Moreover, website backend data could be harnessed to exploit the website and create threats including ransomware attacks.”
The majority of exposed email records came from US users, followed by Brazil, Italy, France and Germany.
Less than a week ago, Sen and his team discovered a similar incident in which French newspaper Le Figaro leaked over seven billion records including readers’ personal information.