All breaches that expose PII (personally identifiable information) are bad, but those that come from adult websites are definitely the worst. CAM4, an adult live streaming platform that has around two billion unique visitors every year, has misconfigured an Elasticsearch cluster leaving a set of production databases unprotected online and accessible by anyone with a Web browser. The discovery was the work of security researcher Anurag Sen, and while the response from the CAM4 team was immediate, the exposed records could have been copied by someone in the meantime.
The information that has been exposed includes the following details:
The number of records is 10.88 billion, so the amount of data that has been exposed is humongous. As expected, not all records are equally rich - some include payment details (credit cards and payment amounts), hashed passwords accompany others, and some have multiple email addresses connected with a single username. With all that was leaked, malicious actors could extort the exposed individuals, scam them, phish them, and generally set up highly targeted fraudulent operations. Blackmailing is the worst-case scenario, though, as many of the cam models on these platforms wouldn’t want their direct social circle or family to know about their side job.
The largest number of records concern users from the United States, and then there are many Brazilians, Italians, Germans, and users from Spain and France. The researchers have also located information that could enable actors to launch attacks on the website, as backend data was available for harnessing too.
In general, you shouldn’t trust any online platform with your identity, let alone those that can potentially radically affect your life. Thus, use anonymous email addresses, don’t connect social media accounts with these platforms, only give out the least possible identification details required for your registration, avoid using credit cards as a payment method, and always use unique and strong passwords.