Adult live-streaming site CAM4 has spilt millions of users’ private chats, emails, names, email addresses, sexual preferences, password hashes, IP addresses and more.
CAM4 is owned by the Irish company Granity Entertainment. A streaming site for amateurs to watch live, explicit performances, it offers customers the ability to buy virtual tokens if they want to tip performers or watch private shows. Started in 2007, at this point it’s paid out over USD $100 million in performer commissions.
The leak, now closed, was huge. It involved an unsecured Elasticsearch database that tipped the scales at over 7TB. The security team that found it – the researchers at Safety Detectives – isn’t sure whether the billions of records they came across belong to content providers or the customers who viewed their performances.
In a report published on Monday, Safety Detectives’s Jim Wilson said that the firm’s security team doesn’t know exactly how many users were involved, but the size of the breach is enormous.
They found nearly 11 billion – that’s billion, with a “B” – records, freely available for public view, lacking adequate security measures. The wealth of personally identifiable information (PII) in the unsecured records included:
- First and last names
- Email addresses
- Country of origin
- Gender preference and sexual orientation
- Device information
- Miscellaneous user details such as spoken language
- Usernames
- Payments logs including credit card type, amount paid and applicable currency
- User conversations
- Transcripts of email correspondence
- Inter-user conversations
- Chat transcripts between users and CAM4
- Token information
- Password hashes
- IP addresses
- Fraud detection logs
- Spam detection logs
The US accounted for the highest number of leaked records per country, with Brazil coming in second and Italy third. It’s tough to suss out a precise number for the exposed email records, Safety Detectives said, given that multiple entries were duplicated.
The database’s production logs date back to 16 March 2020. Among the spillage were some 11 million records that contained emails, with some entries containing multiple email addresses relating to users from multiple countries.
There were 26,392,701 entries with passwords hashes: some belonging to CAM4.com users and some from website system resources. A few hundred entries revealed full names, credit card types and payment amounts.
How crooks can use the data against us
Whenever an adult-themed site leaks data, the specter of extortion arises. That’s what happened after Ashley Madison, the hook-up site for adulterers, was breached in 2015, with the subsequent exposure of names, email addresses and sexual fantasies of nearly 40 million users.
The fallout was nasty and prolonged as the culprits kept turning the screws on victims they dismissed as “cheating dirtbags.” Unsurprisingly, blackmail attempts followed, as did at least one suicide confirmed as being linked to the breach.
Besides extortion, Safety Detectives suggests that the full names, emails and password hashes leaked by CAM4 might also lead to identity theft, phishing scams and website attacks.
The research team also noted that the availability of fraud detection logs “enables hackers to better understand how cybersecurity systems have been set up and could be used as an ideal verification tool for malicious hackers, as well as enabling a greater level of server penetration.”
The leak is now plugged. It’s unknown whether any malicious actors got their hands on the data while it was available. Let’s hope not: the world doesn’t need another Ashley Madison-esque flood of extortion attempts, broken marriages or suicides.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Todd Davis
Never use your real name on the interweb, or SS#.
Mahhn
FYI for those that didn’t get that, Todd Davis is a guy that started a company offering identity protection. To promote it he had his social security number on billboards, which was dumb, as he had his identity stolen successfully multiple times after that.
gps
Cam4 sent this email to its users, which would seem at odds with your story…
We would like our community to know that recently CAM4 became aware of the potential for a data breach through the security company SafetyDetectives.com. Our technical team was able to remedy the situation in less than 30 minutes, and no data of any CAM4 user was compromised by this vulnerability.
Security is at the core of our business and we take it very seriously. We are happy that user data was not compromised by this situation and are reminded how important it is to continue to invest in protecting the data of our users.
CAM4 will happily respond to any questions or concerns. Please contact us anytime at [REDACTED].
Paul Ducklin
The point of the story is that the data was left where anyone, in theory, could have found it, and someone did. It’s a relief if CAM4 thinks that, in all likelihood, the data wasn’t accessed other than when the researchers stumbled upon it… but the data still escaped where it should not have, so the article and the reply aren’t “at odds” with each other.
Bad news: there was a data leak; good news: it seems to have been contained.