The personal information of users of an adult cam site, including their emails and sexual orientation, has been caught up in a breach that potentially exposed 7 terabytes of information.
CAM4 is a popular streaming platform offering “free live sex cams”.
Security review site SafetyDetectives revealed this week it had discovered a database of the company online with no password protection featuring 10.88 billion user records, including their names, payment logs, chat records, country of origin, sign-up dates, device information, hashed passwords and email transcriptions.
More than 270,000 of these records relate to user logs from Australia.
The server was meant for internal use at CAM4 only, but a configuration mistake meant that it was left online with no protection – for anyone to find.
This doesn’t necessarily mean that any malicious actors have accessed the data though, with SafetyDetectives saying the vulnerability was fixed quickly after the company was notified.
SafetyDetectives searched on the Shodan engine for insecure databases and found the CAM4 ElasticSearch production database with the personally identifiable information in it.
“Leaving their production server publicly exposed without any password, it’s really dangerous to the users and to the company,” SafetyDetectives researcher Anurag Sen said.
The configuration mistake is a common one that can leave highly sensitive information exposed to anyone on the internet who finds it, security consultant Bob Diachenko told Wired.
“It’s a really common experience for me to see a lot of exposed ElasticSearch instances,” Diachenko said. “The only surprise that came out of this is the data that is exposed this time.”
The 7 terabytes of data is made up of 10.88 billion records of CAM4 users.
Out of these, 11 million of the records contained email addresses, while another 26 million had password hashes.
A few hundred of the records had full names, credit card types and payment amounts.
It’s estimated that about 6.6 million users were caught up in the leak. The majority of the records relate to people in the US, while 5.4 million were from Brazil, 4.9 million from Italy and 4.2 million from France.
The server was taken offline by CAM4 parent company Granity Entertainment within half an hour of them being notified, SafetyDetectives said.
The sensitive data could easily be used for identity theft, phishing scams, website attacks or blackmail, the researchers said.
“User emails could be targeted with leaked data then used maliciously to trigger clicks with phishing and malware scams deployed against unsuspecting targets,” they said.
“The fact that a large amount of email content came from popular domains such as Gmail, Hotmail and iCloud – domains that offer supplementary services such as cloud storage and business tools – means that compromised CAM4 users could potentially see huge volumes of personal data including photographs, videos and related business information leaked to hackers, assuming their accounts were eventually hacked via phishing as one example.
“This information could then be weaponised to compromise other individuals and groups such as family members, colleagues, employees and clients of other businesses.”
The infamous data breach at Ashley Madison in 2015 was later linked with extortion, exploitation and lawsuits, with data on the adult site’s 36 million users leaked.
This week also saw a significant data breach at the world’s largest web domain register. A malicious actor gained the login information for the hosting accounts of 28,000 GoDaddy customers, with the hackers breaking into some of the company’s servers and accessing the secure shell logins.
Last year more than 770 million email addresses and usernames and 20 million passwords were discovered on a cloud service in a major breach. The 87GB collection appeared to be a collation of data leaked in previous breaches, and led to concerns over credential stuffing attacks.