The database underlying an erotica site known as Wife Lovers has been hacked, making off with user information protected only by a simple-to-crack, outdated hashing technique known as the DEScrypt algorithm.
Over the weekend, it came to light that Wife Lovers and seven sister sites, all similarly targeted to a specific adult interest (asiansex4u[.]com; bbwsex4u[.]com; indiansex4u[.]com; nudeafrica[.]com; nudelatins[.]com; nudemen[.]com; and wifeposter[.]com) were compromised thanks to an attack on the 98-MB database that underpins them. Between the eight different adult websites, there were more than 1.2 million unique email addresses in the trove.
“Wife Lovers acknowledged the breach, which impacted names, usernames, email and IP addresses and passwords,” explained independent researcher Troy Hunt, who verified the incident and uploaded it to HaveIBeenPwned, with the information marked as “sensitive” due to the nature of the data.
The site, as its name suggests, was dedicated to posting intimate adult photos of a personal nature. It’s unclear if the photos were intended to represent users’ spouses or the wives of others, or what the consent situation was. But that’s a bit of a moot point given that it’s been taken offline for now in the aftermath of the hack. Nonetheless, the information thieves made off with enough data to make follow-on attacks a likely scenario (such as blackmail and extortion attempts, or phishing expeditions) – something seen in the wake of the 2015 Ashley Madison attack that exposed 36 million users of the dating site for cheaters.
Worryingly, Ars Technica did a web search of some of the private email addresses associated with the profiles, and “quickly returned accounts on Instagram, Amazon and other big sites that gave the users’ first and last names, geographic location, and information about hobbies, family members and other personal details.”
In other words, the risk to victims in these breaches is very high.
“Today, risk is really characterized by the amount of personal data that can potentially be compromised,” Col. Cedric Leighton, CNN’s military analyst, told Threatpost. “The data risk in the case of these breaches is very high because we’re talking about a person’s most intimate secrets…their sexual predilections, their innermost desires and what kinds of things they may be willing to do to compromise loved ones, like their spouses. Not only is follow-on extortion likely, it also stands to reason that this type of data can be used to steal identities. At the very least, hackers could assume the online personalities revealed in these breaches. If these breaches result in other breaches of things like bank or workplace passwords then it opens a Pandora’s Box of nefarious possibilities.”
Wife Lovers said in a website notice that the attack started when an “unnamed security researcher” was able to exploit a vulnerability to download message-board registration information, including email addresses, usernames, passwords and the IP address used when someone registered. The so-called researcher then sent a copy of the full database to the site’s owner, Robert Angelini.
“This person reported that they were able to exploit a script we use,” Angelini noted in the website notice. “This person told us that they were not going to publish the information, but did it to identify websites with this type if security issue. If this is true, we have to assume others might have also gotten this information with not-so-honest intentions.”
It’s worth mentioning that previous hacking groups have claimed to lift information in the name of “security research,” including W0rm, which made headlines after hacking CNET, the Wall Street Journal and VICE. w0rm told CNET that its goals were altruistic, and done in the name of raising awareness for internet security – while also offering the stolen data from each company for 1 Bitcoin.
Angelini also told Ars Technica that the database had been built up over a period of 21 years; between current and former sign-ups, there were 1.2 million individual accounts. In an odd twist however, he also said that only 107,000 people had ever posted to the eight adult sites. This could mean that most of the accounts were “lurkers” checking out profiles without posting anything themselves; or, that many of the emails are not legitimate – it’s unclear. Threatpost reached out to Hunt for more information, and we will update this posting with any response.
Meanwhile, the encryption used for the passwords, DEScrypt, is so weak as to be meaningless, according to hashing experts. Created in the 1970s, it’s an IBM-led standard that the National Security Agency (NSA) adopted. According to researchers, it was tweaked by the NSA to actually remove a backdoor they secretly knew about; but, “the NSA also ensured that the key size was drastically reduced such that they could break it by brute-force attack.”
Which is why it took password-cracking “Hashcat”, a.k.a. Jens Steube, a measly seven minutes to decipher it when Hunt was looking for information via Twitter on the cryptography.
13 chars base64 usually descrypt (-m 1500 in hashcat)
— hashcat (@hashcat) October 18, 2018
In warning his clientele of the incident via the website notice, Angelini reassured them that the breach didn’t go deeper than the free areas of the sites:
“As you know, our websites keep separate systems of those that post on the message board and those that have become paid members of this website. They are two completely separate and different systems. The paid members information is NOT suspect and is not stored or managed by us but rather the credit card processing company that processes the transactions. Our website never has had this information about paid members. So we believe at this time paid member customers were NOT affected or compromised.”
In any event, the incident points out once again that any site – even those flying under the mainstream radar – is at risk for attack. And, using up-to-date security measures and hashing techniques is a critical first-line of defense.
“[An] element that bears close scrutiny is the weak encryption that was used to ‘secure’ the site,” Leighton told Threatpost. “The owner of the sites clearly failed to appreciate that securing his sites is a very dynamic business. An encryption solution that may have worked 40 years ago is clearly not going to cut it today. Failing to secure websites to the latest encryption standards is simply asking for trouble.”