Adult live-streaming site CAM4 leaks millions of emails, private chats

Adult live-streaming site CAM4 has spilt millions of users’ private chats, emails, names, email addresses, sexual preferences, password hashes, IP addresses and more.
CAM4 is owned by the Irish company Granity Entertainment. A streaming site for amateurs to watch live, explicit performances, it offers customers the ability to buy virtual tokens if they want to tip performers or watch private shows. Started in 2007, at this point it’s paid out over USD $100 million in performer commissions.
The leak, now closed, was huge. It involved an unsecured Elasticsearch database that tipped the scales at over 7TB. The security team that found it – the researchers at Safety Detectives – isn’t sure whether the billions of records they came across belong to content providers or the customers who viewed their performances.
In a report published on Monday, Safety Detectives’s Jim Wilson said that the firm’s security team doesn’t know exactly how many users were involved, but the size of the breach is enormous.
They found nearly 11 billion – that’s billion, with a “B” – records, freely available for public view, lacking adequate security measures. The wealth of personally identifiable information (PII) in the unsecured records included:

• First and last names
• Email addresses
• Country of origin
• Gender preference and sexual orientation
• Device information
• Miscellaneous user details such as spoken language
• Usernames
• Payments logs including credit card type, amount paid and applicable currency
• User conversations
• Transcripts of email correspondence
• Inter-user conversations
• Chat transcripts between users and CAM4
• Token information
• Password hashes
• IP addresses
• Fraud detection logs
• Spam detection logs

The US accounted for the highest number of leaked records per country, with Brazil coming in second and Italy third. It’s tough to suss out a precise number for the exposed email records, Safety Detectives said, given that multiple entries were duplicated.
The database’s production logs date back to 16 March 2020. Among the spillage were some 11 million records that contained emails, with some entries containing multiple email addresses relating to users from multiple countries.
There were 26,392,701 entries with passwords hashes: some belonging to CAM4.com users and some from website system resources. A few hundred entries revealed full names, credit card types and payment amounts.

How crooks can use the data against us

Whenever an adult-themed site leaks data, the specter of extortion arises. That’s what happened after Ashley Madison, the hook-up site for adulterers, was breached in 2015, with the subsequent exposure of names, email addresses and sexual fantasies of nearly 40 million users.

The fallout was nasty and prolonged as the culprits kept turning the screws on victims they dismissed as “cheating dirtbags.” Unsurprisingly, blackmail attempts followed, as did at least one suicide confirmed as being linked to the breach.

Besides extortion, Safety Detectives suggests that the full names, emails and password hashes leaked by CAM4 might also lead to identity theft, phishing scams and website attacks.
The research team also noted that the availability of fraud detection logs “enables hackers to better understand how cybersecurity systems have been set up and could be used as an ideal verification tool for malicious hackers, as well as enabling a greater level of server penetration.”
The leak is now plugged. It’s unknown whether any malicious actors got their hands on the data while it was available. Let’s hope not: the world doesn’t need another Ashley Madison-esque flood of extortion attempts, broken marriages or suicides.

Latest Naked Security podcast