Naked Security Naked Security

Hacker wants $300 for 250,000 records stolen from sex worker site

In spite of prostitution being legal in the Netherlands, this could lead to the same type of blackmail attempts/suicide from Ashley Madison.

A hacker has stepped through a hole in vBulletin web software to steal all email addresses from a Dutch website for prostitution and escort customers and for sex workers themselves, Hookers.nl.

According to local news outlet NOS, the total number of accounts whose email addresses were exposed is 250,000. Besides the email addresses, the hacker also got at user names, IP addresses and passwords, NOS reports.

The passwords are reportedly encrypted. We don’t have details of exactly how they’re encrypted, but as we reported in June, vBulletin is one of the content management systems (CMSes) that are properly securing passwords. That means that it’s doing hashing right – hashing being one part of the encrypting/hashing/salting recipe for securing passwords – by using bcrypt, a password hashing function that’s resistant to GPU-based parallel computing cracks.

(Here’s a primer on how to securely store users’ passwords that delves into the details.)

On Thursday, the site’s main moderator announced the breach and advised users to change their login details, in spite of passwords apparently not being affected.

According to the notification, Hookers.nl found out about the breach from its external software supplier, vBulletin, which reported that a software error was discovered in its software that gave access to the site’s database.

Hookers.nl said that vBulletin took action “as quickly as possible,” releasing a software patch that the site tested and promptly implemented.

The Hookers.nl moderator said that the hacker has put the email addresses up for sale online. NOS said that they’re asking $300.

Visitors to Hookers.nl swap experiences and tips on the site. Prostitution is legal, and heavily regulated, in the Netherlands. But that doesn’t mean that visitors to Hookers.nl want their association with the industry to be publicly broadcast, be they sex workers or clients.

Although many, if not most, Hookers.nl users avoid using their main email address on the site, instead using an alias email account in order to keep their visits private, NOS has viewed a sample of the data up for sale and says that many forum members use an email address from which their real name can be derived. As well, IP addresses can be used to indicate at least rough geographic location of users.

Ashley Madison all over again

One of the main risks of the breach is that forum visitors may be blackmailed, be they prostitutes, escorts, or clientele whose partners are unaware of their activity.

If Ashley Madison’s breach is any indication, blackmail attempts or public shaming could result from the Hookers.nl breach. That’s what happened after the adulterer hook up site was breached in 2015, with the subsequent exposure of names, email addresses and sexual fantasies of nearly 40 million users.

The fallout was nasty and prolonged as the culprits kept turning the screws on victims it dismissed as “cheating dirtbags.” Unsurprisingly, extortion attempts followed, as did at least one suicide confirmed as being linked to the breach.

NOS talked to Arda Gerkens, of Helpwanted.nl, which assists young victims of sex-related abuse:

Membership in such a forum is certainly something that can be extorted with. Some people are not secretive about their prostitution visit, but it is certainly when people use a nickname that they want to remain anonymous.

NOS, which broke this story, talked to the hacker. They hadn’t sold the stolen data yet, but they said they were sure that it wouldn’t be hard to do:

Certainly people want to buy it, bro.