[BreachExchange] A network of ‘camgirl’ sites exposed millions of users and sex workers

[Destry Winant]

https://techcrunch.com/2019/11/03/camgirl-network-exposed-millions-users/

A number of popular “camgirl” sites have exposed millions of sex
workers and users after the company running the sites left the
back-end database unprotected.

The sites, run by Barcelona-based VTS Media, include amateur.tv,
webcampornoxxx.net, and placercams.com. Most of the sites’ users are
based in Spain and Europe, but we found evidence of users across the
world, including the United States.

According to Alexa traffic rankings, amateur.tv is one of the most
popular in Spain.

The database, containing months-worth of daily logs of the site
activities, was left without a password for weeks. Those logs included
detailed records of when users logged in — including usernames and
sometimes their user-agents and IP addresses, which can be used to
identify users. The logs also included users’ private chat messages
with other users, as well as promotional emails they were receiving
from the various sites. The logs even included failed login attempts,
storing usernames and passwords in plaintext. We did not test the
credentials as doing so would be unlawful.

None of the data was encrypted.

The exposed data also revealed which videos users were watching and
renting, exposing kinks and private sexual preferences.

In all, the logs were detailed enough to see which users were logging
in, from where, and often their email addresses or other identifiable
information — which in some cases we could match to real-world
identities.

Not only were users affected, the “camgirls” — who broadcast sexual
content to viewers — also had some of their account information
exposed.

The database was shut off last week, allowing us to publish our findings.

Researchers at Condition:Black, a cybersecurity and internet freedom
firm, discovered the exposed database.

“This was a serious failure from a technical and compliance
perspective,” said John Wethington, founder of Condition:Black. “After
reviewing the sites’ data privacy policy and terms and conditions,
it’s clear that users likely had no idea that their activities being
monitored to this level of detail.”

“Users should always take into consideration the implications of their
data leaking but especially where the implications could be life
altering,” he said.

Data exposures — where companies inadvertently leave their own systems
open for anyone to access — have become increasingly common in recent
years. Dating sites are among those with some of the most sensitive
data. Earlier this year, a group dating site 3Fun exposed over a
million users’ data, allowing researchers to view users’ real-time
locations without permission. These security lapses can be extremely
damaging to their users, exposing private sexual encounters and
preferences known only to the users themselves. The fallout following
the 2016 hack of affair-focused site Ashley Madison resulted in
families breaking up and several reports of suicides connected to the
breach.

An email to VTS Media bounced over the weekend. Hector Ros Oliver, a
spokesperson for the company, made several denials in a statement
published Monday.

Given both the company and its servers are located in Europe, the
exposure of sexual preferences would fall under the “special
categories” of GDPR rules, which require more protections. Companies
can be fined up to 4% of their annual turnover for GDPR violations.

A spokesperson for the Spanish data protection authority (AEPD) did
not respond to a request for comment outside business hours.