Nearly 400,000 users of adult site xHamster have found themselves in a compromising position after their private details were leaked. There’s no confirmation of who was behind the breach as yet, but usernames, email addresses and passwords have apparently been trading hands on the dark web for several months.
LeakBase, a breach notification site, made the hack common knowledge by publishing the login details of around 380,000 xHamster users – approximately 3.2% of the adult site’s total membership.
While xHamster claimed that the leaked passwords were all “properly encrypted”, any sense of relief was short-lived for members: according to LeakBase, the MD5 algorithm used to hash credentials is “trivial and easy to crack”.
Government, military emails exposed
There’s not much reassurance then for xHamster members affected by the breach, especially since the leaked data includes 40 US Army email addresses, as well as another 30 related to governments around the world. Both individuals and organizations could find their reputations at risk after the leak.
The breach is the latest in a string of compromises involving adult websites, including Ashley Madison, FriendFinder, Brazzers and Pornhub. Hackers may be targeting these sites not simply because of their lacklustre security, but because the sensitive information they house can be easily monetized via blackmail.
It’s the same mindset that has led to the development of malware like Delilah, a Trojan that targets employees visiting adult, gambling or other ‘unsavory’ websites to extort them into becoming malicious insiders willing to divulge company secrets.
Cracking corporate defenses
With individuals reusing the same passwords across dozens of personal applications, hacking sites like xHamster offers cybercriminals a simple route to reams of valuable data. Also by hacking personal accounts, attackers can even harness an easy, low-cost and risk-free way to crack tougher corporate security, since employees will often reuse personal passwords in their workplace.
SensePost, SecureData’s elite consulting arm, recently found that 868 UK organizations could be hacked right now through Outlook Web Application accounts, based on compromised email addresses and hashed passwords already available on the public internet.
Bolstering security
With the EU’s General Data Protection Regulation (GDPR) about to come into force, breaches becoming costlier than ever, and suicides not uncommon when blackmailers target sensitive information, sites like xHamster need to up their game when it comes to keeping users secure. That doesn’t just mean investing in the latest security technologies and stronger encryption, but also the skills and processes to defend data across the entire attack continuum.
Users should be wary as well. Good security hygiene is essential online: choose strong passwords, change them regularly and don’t reuse them across multiple platforms. If you decide to register on a particularly risqué website, using a disposable email address and innocuous alias is probably a good idea too.