UPDATE
A database containing the highly sensitive information on both users and models on the popular adult cam site Stripchat were discovered online, left completely unprotected. The data exposure puts models and users at risk of extortion, violence and more.
Stripchat is a popular site founded in 2016 and based in Cyprus that sells live access to nude models.
Volodymyr “Bob” Diachenko, head of security research Comparitech, reported that he discovered the database on an Elasticsearch cluster on Nov. 5. It contained about 200 million Stripchat records, he said, including 65 million user records containing email addresses, IP addresses, the amount in tips they gave to models, a timestamp of when the account was created and the last payment activity.
Another database contained about 421,000 records for the platform’s models, including their usernames, gender, studio IDs, tip menus and prices, live status and what is called their “strip score.”
It’s unclear if anyone with nefarious purposes managed to access it before it was secured on Nov. 7.
Stripchat’s Max Bennet provided a statement to Threatpost following the article’s publication, emphasizing that the content of the platform’s chat messages was not exposed. He also wanted to clarify that the leaked payment data contained transaction details, rather than credit-card numbers.
“Information on 134 million transactions occurring were exposed, however, no information was leaked regarding the payment details,” Bennet told Threatpost by email. “Finally, information on at least 719,000 chat messages (was exposed). No content of the private messages was revealed, though.”
Stripchat Data Exposure Threat
“The exposure could pose a significant privacy risk for both Stripchat viewers and models,” Diachenko said. “If the data was stolen, they could face harassment, humiliation, stalking, extortion, phishing and other threats, both online and offline.”
Stripchat user and model information could also be used in targeted phishing campaigns.
“Victims should be on the lookout for targeted phishing emails from fraudsters posing as Stripchat or a related company,” Diachenko warned. “Never click on links or attachments in unsolicited emails.”
The exposure was reported to Stripchat on Nov.5, with multiple contact points via email and Twitter subsequently. While the company didn’t directly respond to Diachenko’s disclosure, he said that as of Nov. 7, the data was secured.
“Sites like Stripchat should have stronger security practices and at least employ incident response protocols when receiving alerts like this from the security community,” he told Threatpost.
Look Out for Lewd Phishing Lures
Lewd phishing lures are increasingly being used in business email compromise (BEC) campaigns, according to research that GreatHorn published last summer. The firm found a stunning 974-percent uptick in social-engineering scams using salacious material, mostly aimed at employees with male-sounding names.
“It doesn’t always involve explicit material, but the goal is to put the user off balance, frightened – any excited emotional state – to decrease the brain’s ability to make rational decisions,” according to the report.
Being confronted at work with past Stripchat activities would certainly make rational thinking difficult.
The pandemic has been a boon to cybersex sites like Stripchat: The company said that following the onset of the pandemic and lockdowns, the platform saw a 72 percent rise in traffic and added 906,181,416 new users in 2020.
But, as these platforms gain users, they become bigger targets for attacks.
Leaky Clouds Persist
Stripchat joins a long and illustrious list of companies with leaky clouds, VIP Games exposed the user data of 66,000 users early in 2021. Dating sites, even Hobby Lobby, all have fallen victim to a misconfigured cloud. And it’s not just the private sector. Last summer, Diachenko found an exposed Elasticsearch cluster containing 1.9 million terrorist watchlist records.
When it comes to public-facing cloud storage, Diachekno called on organizations to do much more to protect their data.
“Exposure of records through misconfiguration is a major issue whether we are talking about public cloud misconfigurations or of any service exposed to the internet,” he said in an email to Threatpost. “Organizations needs to continuously monitor all resources deployed in their enterprise to minimize risks of such exposure. Such records can be sold on the dark web or used for further attacks especially if credentials are involved.”
This article was updated on Nov. 18, 2021 with a statement from Stripchat’s spokesperson.
Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, “Password Reset: Claiming Control of Credentials to Stop Attacks,” on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.
Register NOW for the LIVE event!