The personal information more than a million users of popular adult website Luscious, including email addresses that sometimes indicated full names, were found exposed in an unsecured Elasticsearch database.
The website, which focuses on anime-themed, user-uploaded adult content, has over 1 million registered users. Website users have a private profile allowing them to upload, share, and comment on the website’s pornographic content – while keeping their identities hidden behind usernames.
However, researchers were able to access the personal details of 1.195 million user accounts, revealing their usernames and personal email addresses. Some personal email addresses reflected the full names of website users, researchers said.
“The data breach gave our team access to 1.195 million user accounts on Luscious. All of these were compromised, revealing personal details of users with potentially devastating consequences,” said researchers with vpnMentor in a post this week. “The highly sensitive and private nature of Luscious’ content makes users incredibly vulnerable to a range of attacks and exploitation by malicious hackers.”
Researchers discovered the exposed data on Aug. 15. After being contacted on Aug. 16, the database was then secured on Monday.
In addition to email addresses, researchers were also able to view user activity logs, which showed dates joined and recent log ins, as well as content, image and videos uploaded and blog posts written. They could also access the country of residence and gender for impacted users. For instance, researchers discovered 13,000 email addresses in “.fr,” showing that those users are from France.
Of greater concern was the fact that researchers discovered dozens of “.gov” email accounts, indicating that the users were official government employees. These were emails tied to users from Brazil, Australia, Italy and Malaysia.
Researchers said that they aren’t sure whether third-parties accessed the exposed database. However, if hackers were able to access the user data – particularly for something as sensitive as an adult dating website – it could be ruinous for victims’ relationships and personal lives.
If a bad actor were to get their hands on this database, researchers said, they could use it in several harmful ways – including doxing (investigating an internet user’s identity and making it public), extorting users by threatening to expose them unless they pay a ransom, or phishing.
“The impact of this data breach on users could be devastating, personally and financially,” they said. “Activity on adult sites like Luscious is the most private in nature, and nobody ever expects it to be revealed.”
Insecure databases continue to be a security thorn in companies’ sides: In June for instance, three publicly accessible cloud storage buckets from data-management company Attunity leaked more than a terabyte of data from its top Fortune 100 customers – including internal business documents, system passwords and sensitive employee information. In May, IT services provider HCL Technologies inadvertently exposed passwords, sensitive project reports and other private data of thousands of customers and internal employees on various public HCL subdomains. And in April, hundreds of millions of Facebook records were found in two separate publicly exposed app datasets.
Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.