[BreachExchange] Users of Adult Website Exposed By Data Breach

Destry Winant destry at riskbasedsecurity.com
Wed Aug 21 10:07:36 EDT 2019


A website that shares adult content has caused blushes of a different
kind by leaking the private data of 1.195 million global users.

An authentication failure on the website Luscious.net allowed
unrestricted access to a database containing user names, locations,
genders, personal email addresses and even some full names. Also
available were activity logs detailing what users had liked, uploaded,
commented on and shared.

Users of the website, which specializes in computer-generated
pornographic animations and graphics, were left vulnerable to
bullying, harassment, phishing and the threat of blackmail. It is
estimated that around 20% of the user accounts were set up with fake
email addresses, meaning roughly 800,000 genuine email accounts were
placed at risk.

The data leak was uncovered on August 15 by a vpnMentor research team
led by cybersecurity professionals Noam Rotem and Ran Locar. The team
was able to access detailed information regarding user activity on the
site, including image uploads and blog posts.

A spokesperson for vpnMentor said: "Some of these blog posts were
extremely personal – including depressive or otherwise vulnerable
content – and kept anonymous. Due to this data breach, however, the
blog posts are no longer anonymous, with many of the authors'
identities revealed."

After being informed of the breach, it took the operators of
Luscious.net just four days to fix the security hole. It's unknown how
long the private user data may have laid exposed before the leak was

A number of users in Brazil, Australia, Italy, Malaysia and Australia
had signed up to Luscious using official government email addresses.
Though this may come as a surprise to some people, Ed Macnair, CEO of
Censornet, isn't one of them.

Macnair said: "It sounds unlikely that people would use their
professional email addresses for personal services, but in a survey we
ran last year, 10% of respondents admitted to visiting adult websites
from a work device or using the work internet connection."

Commenting on the Luscious data leak, he said: "This is hugely
concerning as it risks exposing an entire organisation to an attack.
It is therefore vital that organizations – government or otherwise –
put strict measures on internet activity at work and discourage the
use of work email addresses for personal services."

Luscious users are advised to change their username and other account
details to remain safe.

More information about the BreachExchange mailing list