Adult streaming website Cam4 has suffered from a data leak. In all, 10 billion records were left exposed to anyone smart enough to find it.
We continue this daily security incident thing with another one. Today, we are learning that adult streaming website, Cam4, has suffered from a data leak. While there is no exact number of users that had their information exposed, it is estimated that several million users have been exposed. The database itself weights in at 7TB and contains 10 billion records.
From Security Boulevard:
A team of security researchers led by Anurag Sen recently uncovered a leaky database from CAM4, a popular live-streaming adult website. Housed on a misconfigured Elasticsearch server, the unsecure database exposed around 7TB of personal information from platform users and members.
Among the cluster of 10 billion records, the analysists discovered information of CAM4 users, including:
- First and last names
- Email addresses and password hashes
- Country of origin and sign-up dates
- Gender preference and sexual orientation
- Device information
- Miscellaneous user details such as spoken language
- Usernames and user conversations
- Payments logs including credit card type, amount paid and applicable currency
- Transcripts of email correspondence
- Inter-user conversations
- Chat transcripts between users and CAM4
- Token information
- IP addresses
- Fraud and Spam detection logs
After rounding up the personal information, the team was able to pinpoint 11 million records containing emails, 26.3 million containing passwords hashes, and less than 1,000 revealing full names, credit card types and amounts paid to view explicit content on the website.
“US, Brazilian and Italian users were the most heavily affected although the precise number of email records is difficult to gauge accurately due to multiple entries being duplicated,” said researchers.
The big concern with such a data leak is that, should this information be scraped by criminals, it opens the door to blackmail and extortion threats among other things.
Perhaps the good news in all of this is that the passwords were hashed. This means that the hash needs to be cracked first before passwords can be used for credential stuffing purposes. This buys users who re-used their Cam4 passwords on other sites time to change their passwords. Still, it’s only a matter of time at this stage before the passwords are no longer secure for the respective users.
The article goes on to say that once the company, Granity Entertainment, became aware of the data leak, the database was taken down immediately. Unfortunately, the information dates back to March 16 which means that there was a significant window for when criminals could have theoretically scraped the information. Really, data dating later than March 16 could theoretically be secure, but that’s not a lot.
Either way, this is a significant data leak that shouldn’t be treated lightly. No doubt users are quietly worried about what happened and are hoping that whatever activity they engaged in before doesn’t come back to haunt them in the future.
As mentioned, these security incidences have become a seemingly daily occurrence these days. This month, we saw the Webkinz data breach which saw 23 million accounts compromised. This was followed up by the GoDaddy data breach which saw SSH access compromised for some users. Shortly after, we saw the Tokopedia data breach which saw 91 million accounts compromised. That particular breach sparked a lawsuit in Indonesia in response. Finaly, just yesterday, we saw the Unacademy suffering from a data breach. That saw 22 million accounts compromised. This really has become a very busy month so far on this front. All we can do now is watch to see who gets hit next.
Drew Wilson on Twitter: @icecube85 and Facebook.
