The database behind Wife Lovers – a site dedicated to posting nudes and erotica about wives – has been breached, exposing a total of over 1.2 million unique email addresses.
Wife Lovers was one of eight adult websites that relied on the database, putting at risk the intimate messages of the users and photos that they said were of their wives – some of whom may not have a clue that their photos were being posted in the first place.
The other sites:
- asiansex4u.com
- bbwsex4u.com
- indiansex4u.com
- nudeafrica.com
- nudelatins.com
- nudemen.com
- wifeposter.com
The owner of Wife Lovers and the other seven sites, whom Ars Technica identified as Robert Angelini, said on his Wife Lovers site that he’d been notified – by a source “we feel is credible” – that an unnamed security researcher got access to the sites’ message boards and had downloaded registrants’ personal data.
The breached information includes:
- Email addresses
- Posting IDs
- Encrypted passwords
- IP address used to register on the sites
Angelini told Ars on Saturday morning that, in the 21 years they operated, fewer than 107,000 people posted to the eight adult sites. Yet the 98MB database he received on Friday was mysteriously plump: it had 12 times as many email addresses as the total number of users who’ve posted to the sites, Angelini told Ars. It’s not clear if all the email addresses belong to legitimate users.
Angelini confirmed the breach on Saturday morning and took down the sites. He also put up a notice on the shuttered sites, warning users to change their passwords elsewhere, particularly if they’ve reused passwords on multiple sites:
When you post on the message board your email address and posting ID is already shown in your post. Thus, if someone is able to “crack the code” of the encrypted posting password they might be able to log into other websites that you use the same password associated with that posting ID or email address on our website.
As far as cracking the code goes, it was done pretty much instantaneously. The encryption used on the passwords is worthless: as Ars Technica’s Dan Goodin describes, it’s a four-decades old, weak hashing scheme that took password-cracking expert Jens Steube only seven minutes to recognize and to then decipher a given hash.
13 chars base64 usually descrypt (-m 1500 in hashcat)
— hashcat (@hashcat) October 18, 2018
VTB3d1ZQYv.7o:ecotone
The hash function is known as DEScrypt. Created in 1979, it’s based on the old Data Encryption Standard (DES): an algorithm that the National Security Agency (NSA) did two things to after IBM submitted it as a standard: 1) tweaked the algorithm to close a backdoor it secretly, allegedly knew about, and 2) cut the key size in half, making it too small to fend off brute-force attack.
Jeremi M. Gosney, a password security expert and CEO of password-cracking firm Terahas, had this to say about it to Ars:
The algorithm is quite literally ancient by modern standards, designed 40 years ago, and fully deprecated 20 years ago. It is salted, but the salt space is very small, so there will be thousands of hashes that share the same salt, which means you’re not getting the full benefit from salting.
Angelini, meanwhile, is mulling the possibility that a family member with a grudge is behind the breach. From an email he sent to Ars:
She is pretty computer savvy, and last year I required a restraining order against her. I wonder if this was the same person [who hacked the sites].
Perhaps another good question to ask: who’s responsible for still using dusty, fusty hashing that’s as fresh as 40-year-old fish?
Goodin notes that the sites’ users were allowed to publicly link their accounts to one email address while associating a different, private email address to their accounts. That could lead to disclosure of not only users’ profile IDs, but their identities:
A Web search of some of these private email addresses quickly returned accounts on Instagram, Amazon, and other big sites that gave the users’ first and last names, geographic location, and information about hobbies, family members, and other personal details. The name one user gave wasn’t his real name, but it did match usernames he used publicly on a half-dozen other sites.
Troy Hunt, who runs the Have I Been Pwned site, has listed the breach. Given the sensitive nature of the exposure, though, he’s marked the records as being sensitive, meaning that he won’t make exposed email addresses available for search per his usual practice.
That’s the same way Hunt treated Ashley Madison: a breach that led to extortion threats and multiple associated suicides.
Hunt:
This incident is a huge privacy violation, and it could be devastating for people like [one of the names in the exposed database] if he’s outed (or, I assume, if his wife finds out).
J L
I’ve been using that site off and on since it was created and it’s NEVER been secure. You didn’t even need an account to view/download content. It served it’s purpose but the majority of it’s “users” were fakes and flakes; lots of them posting web pics passed off as their wives and gfs.
Another thing was guys posting pictures of their exes and wives who CLEARLY had no knowledge they were being exposed. In the early days there was a lot of racist commentary on the boards that the moderators did NOTHING about.
The main reason I came to comment has to do with the “plump” data that was “12 times” the number of users. If you ever used the site it doesn’t take a genius to figure out why that is. The moderators would ban and block user accounts arbitrarily. People that enjoyed posting would just create new accounts and continue to post; lots of those aforementioned fakes/flakes would create new accounts every few months reposting the same content trying to con ACTUAL users into bogus “pic exchanges”. The problem though is that after an account got blocked/banned some of the content remained.
For example, the site NEVER deleted personal ads. There were ads from the very beginning of the site still there from “users” who had long abandoned the site. Even if your account was blocked, your personal ad would remain and any content posted with it. I was never a paid member but I can only imagine that the paid side archived EVERYTHING,
Again, the site had a few pros but it was mostly a big con!