100,000 aficionados of hardcore fetish porn have been compromised after a niche web forum was hacked.
Independent researcher Troy Hunt, who runs the Have I Been Pwned? database of stolen user accounts, told the BBC that along with the usual data hauls of email addresses, usernames, IP addresses and passwords, this breach also included information about specific sexual proclivities that can be linked to individuals. Tantalizingly for the muckrakers out there, Hunt added that government and military email addresses were found among the trove.
"This is a forum where you would think people would want to stay private, but people were using traceable emails or even corporate emails," Hunt told the Beeb.
The site—which no one has yet named—was an easy target. It had been using unpatched software, so the thieves needed only to use a well-known exploit to download the entire database of registered accounts.
"It took advantage of a common vulnerability using an SQL injection," Hunt said.
According to Hunt, some of the victims are repeat targets. About 37% of the accounts were already listed on Have I Been Pwned?
“This hack was the result of having an old system which did not have the appropriate security measures in place that would have protected them from such a hack,” David Navin, head of corporate at Smoothwall, said via email. “Many businesses will suffer similar issues—legacy systems are an issue in all sectors. To address this, it is essential that businesses start with the basics. Beginning with a firewall, encryption and good security software, if companies have those measures in place and continue to layer on top of that, then it will reduce the chances of a cyber-hack.”
He added, “Companies that deal in sensitive issues and collect data especially, should ensure that they have the latest technologies in place to protect their users, otherwise risk seriously harming their reputation and it could make it difficult to recover from.”
To protect one’s privacy, Hunt suggested that users "create an email account and make up a name and use something like the Tor browser so the IP address can't be traced back to you.”
Some adult sites are taking an active role in user protection. Adult entertainment website Pornhub for instance is the latest firm to ask the white hat research community to help fortify it against attack, after launching a bug bounty program. Like many other firms, it has launched the program in partnership with the HackerOne platform, and is offering anywhere between $50 and $25,000 depending on the severity of the reported flaw.
Photo © pathdoc