[BreachExchange] CAM4 adult cam site exposes 11 million emails, private chats

[Destry Winant]

https://www.bleepingcomputer.com/news/security/cam4-adult-cam-site-exposes-11-million-emails-private-chats/

Adult live streaming website CAM4 exposed over 7TB of personally
identifiable information (PII) of members and users, stored within
more than 10.88 billion database records.

The sensitive data was leaked after one of the site's production
databases was left open to Internet access on a misconfigured
Elasticsearch cluster, with records dating back to March 16, 2020.

CAM4 has around 2 billion visitors each year and its members are
streaming more than 1 million hours of adult content every week, with
over 75,999 private shows being broadcast on a daily basis.


Exposed private chats and IP addresses

The CAM4 unsecured database was discovered by a Safety Detectives team
lead by security researcher Anurag Sen and it was immediately taken
down by Irish parent company Granity Entertainment after the leak was
reported.

The records contained a wide range of PII in various combinations and
included anything from names, sexual orientation, and emails to IP
addresses, email message transcripts, and private conversations
between users.

Payment details with email (Safety Detectives)

After analyzing the exposed database, the researchers discovered that
it contained:

• First and last names
• Email addresses
• Country of origin
• Sign-up dates
• Gender preference and sexual orientation
• Device information
• Miscellaneous user details such as spoken language
• Usernames
• Payments logs including credit card type, amount paid and applicable currency
• User conversations
• Transcripts of email correspondence
• Inter-user conversations
• Chat transcripts between users and CAM4
• Token information
• Password hashes
• IP addresses
• Fraud detection logs
• Spam detection logs

Furthermore, 11 million out of the almost 11 billion records found in
the exposed logs also contained at least one email address from a
variety of email providers including but not limited to gmail.com,
icloud.com, and hotmail.com.

Millions exposed from the US, Brazil, Italy, France, and more

CAM4's unsecured database was also analyzed to get a sense of how many
users were exposed per country and, based on the results, over 6.5M of
them were U.S. residents.

Over 5.3 million Brazilians and 4.8 million Italians also had their
PII exposed in the incident, with records of French and German users
also being found in the millions (i.e., 4.1 million and 3 million,
respectively).

"The security team also discovered 26,392,701 entries with passwords
hashes with a proportion of hashes belonging to CAM4.com users and
some from website system resources," the researchers said.

Number of records leaked per country (Safety Detectives)

"Altogether, a 'few hundred entries' revealed full names, credit card
types and payment amounts. The combination of all three is a critical
aspect — as opposed to having limited access to just payment amounts
without full names — because in unison they create a far greater
security risk compared to just one or two information points in
isolation."

The PII data exposed via this poorly configured Elasticsearch cluster
could potentially be used by attackers as part of a wide array of
attacks targeting of CAM4 users and members, ranging from highly
convincing spear-phishing attacks and blackmail campaigns to identity
theft and various types of fraud.

Last week, French daily newspaper Le Figaro also exposed approximately
7.4 billion records containing personally identifiable information
(PII) of reporters and employees, and of at least 42,000 users on a
publicly-facing misconfigured Elasticsearch server.

Adult site leaks can be devastating for members

Data leaks affecting users and member of adult sites can be even more
devastating given the highly sensitive nature of the information that
gets exposed.

For instance, members of Canadian online dating and social networking
site Ashley Madison are still being targeted in blackmail and
sextortion campaigns threatening to expose them using information
stolen after a data breach that took place in 2015.

And this is not even the biggest problem users of such platforms have
to face after a data leak since scammers will also attack their
spouses using highly targeted blackmail messages as it happened to
spouses of Ashley Madison users in 2016.

To make matters even worse, there are known cases of such scam
campaigns leading to the targeted individuals taking their own lives
as shown by a New Orleans pastor who committed suicide after the
hackers behind the Ashley Madison breach exposed his name online.

Properly securing ElasticSearch clusters

Misconfigured and unsecured ElasticSearch servers are still regularly
being found by security researchers online each day despite Elastic
Stack's core security features becoming free since May 2019.

While ElasticSearch's dev team explained in December 2013 that
Elastisearch servers should never be accessible from the Internet but
instead configured for local access only, admins often forget this and
expose highly sensitive data publicly, with no proper security
controls.

Elastic NV advises database admins to secure their ElasticSearch
clusters by "preventing unauthorized access with password protection,
role-based access control, and IP filtering," as well as by setting up
passwords for built-in users.

On Elastic NV's documentation website, admins can also find a quick
step by step guide on how to properly secure ElasticSearch clusters
before deployment.