The personal email addresses – some indicating user names or government official status – of more than a million pornography website users were exposed.
Adult Content Site- The personal information more than a million users of popular adult website Luscious, including email addresses that sometimes indicated full names, were found exposed in an unsecured Elasticsearch database.
The website, which focuses on anime-themed, user-uploaded adult content, has over 1 million registered users. Website users have a private profile allowing them to upload, share, and comment on the website’s pornographic content – while keeping their identities hidden behind usernames.
However, researchers were able to access the personal details of 1.195 million user accounts, revealing their usernames and personal email addresses. Some personal email addresses reflected the full names of website users, researchers said.
“The data breach gave our team access to 1.195 million user accounts on Luscious. All of these were compromised, revealing personal details of users with potentially devastating consequences,” said researchers with vpnMentor in a post this week. “The highly sensitive and private nature of Luscious’ content makes users incredibly vulnerable to a range of attacks and exploitation by malicious hackers.”
Researchers discovered the exposed data on Aug. 15. After being contacted on Aug. 16, the database was then secured on Monday.
In addition to email addresses, researchers were also able to view user activity logs, which showed dates joined and recent log ins, as well as content, image and videos uploaded and blog posts written. They could also access the country of residence and gender for impacted users. For instance, researchers discovered 13,000 email addresses in “.fr,” showing that those users are from France.
Of greater concern was the fact that researchers discovered dozens of “.gov” email accounts, indicating that the users were official government employees. These were emails tied to users from Brazil, Australia, Italy and Malaysia.
Researchers said that they aren’t sure whether third-parties accessed the exposed database. However, if hackers were able to access the user data – particularly for something as sensitive as an adult dating website – it could be ruinous for victims’ relationships and personal lives.
If a bad actor were to get their hands on this database, researchers said, they could use it in several harmful ways – including doxing (investigating an internet user’s identity and making it public), extorting users by threatening to expose them unless they pay a ransom, or phishing.