A website that shares adult content has caused blushes of a different kind by leaking the private data of 1.195 million global users.
An authentication failure on the website Luscious.net allowed unrestricted access to a database containing user names, locations, genders, personal email addresses and even some full names. Also available were activity logs detailing what users had liked, uploaded, commented on and shared.
Users of the website, which specializes in computer-generated pornographic animations and graphics, were left vulnerable to bullying, harassment, phishing and the threat of blackmail. It is estimated that around 20% of the user accounts were set up with fake email addresses, meaning roughly 800,000 genuine email accounts were placed at risk.
The data leak was uncovered on August 15 by a vpnMentor research team led by cybersecurity professionals Noam Rotem and Ran Locar. The team was able to access detailed information regarding user activity on the site, including image uploads and blog posts.
A spokesperson for vpnMentor said: “Some of these blog posts were extremely personal – including depressive or otherwise vulnerable content – and kept anonymous. Due to this data breach, however, the blog posts are no longer anonymous, with many of the authors’ identities revealed.”
After being informed of the breach, it took the operators of Luscious.net just four days to fix the security hole. It’s unknown how long the private user data may have laid exposed before the leak was caught.
A number of users in Brazil, Australia, Italy, Malaysia and Australia had signed up to Luscious using official government email addresses. Though this may come as a surprise to some people, Ed Macnair, CEO of Censornet, isn’t one of them.
Macnair said: “It sounds unlikely that people would use their professional email addresses for personal services, but in a survey we ran last year, 10% of respondents admitted to visiting adult websites from a work device or using the work internet connection.”
Commenting on the Luscious data leak, he said: “This is hugely concerning as it risks exposing an entire organisation to an attack. It is therefore vital that organizations – government or otherwise – put strict measures on internet activity at work and discourage the use of work email addresses for personal services.”
Luscious users are advised to change their username and other account details to remain safe.
Source: Infosecurity Magazine