Thousands of Adult Website Accounts Compromised 167
Keith writes "Tens of thousands — or maybe more — accounts to adult websites were recently declared compromised and apparently have been that way since some time in October 2007. The break occurred when the NATS software used to track and manage sales and affiliate revenues was accessed by an intruder. The miscreant apparently discovered a list of admin passwords residing on an unsecured office server at Too Much Media, which makes and maintains NATS installations for adult companies. It would appear that Too Much Media knew of the breach back in October, and rather than fixing the issue tried to bury it by threatening to sue anyone in the adult industry who talked about it." The article gives suggestions for anyone who opened an account at any adult website in the last several months.
Re:If true, this isn't particularly surprising. (Score:5, Informative)
You do realize that prepaid credit cards exist, right? You can set any name to it and use it. Since you don't have to have anything physical delivered and it's all online, then you can create fake names and leave out addresses.
Gift Cards (Score:5, Informative)
After you buy it, you go to a web site from the card vendor, enter the card number and security code, and then set the user name and billing zip code. Then go wild (well, to the extent that you can go wild with $50...). Here's one such card [allaccessgift.com] that is available at a lot of places.
There are also cards that you can refill from your "real" credit card, but then you are easier to trace. Might as well use a non-refillable card, purchased with cash. That way, if "all models 18 or over, proof on file" turns out to not quite be true, no credit card that can be tied to you will be in the site's records. :-)
If that's not a concern, though, and you are just trying to limit exposure of your real credit card, then go ahead with the refillable cards. In fact, there are even some that are purely online. They don't provide a physical card. You just go to their site, sign up with your credit card, and they give you a credit card number to use online, with a limit of whatever you want to transfer from your credit card. Here is one such virtual card [www-card.com].
NOTE: some gift cards cannot be used for porn or gambling, so choose appropriately. And some can be so used, but add a surcharge for porn.
RE: The Truth (Score:5, Informative)
I work in adult, and have worked with this CMS very closely for the last 2 years.
I'm not on anyone's side, but unfortunately this problem has been surrounded by a lot of misinformation.
It is interesting and rather important to note: The poster of the blog article is an absolute douchebag. I'm not happy with the situation obviously, I had my own system compromised, but this guy is an idiot on a warpath - 95% of what's written on his blog is off in the fairyland.
He fails to mention that he's hated by the industry, mainly for the reason that he posted 300 username / password combinations of webmasters publically, which resulted in a lot of them having money stolen from online accounts, etc.
More intelligent ramblings from this guy: My Guide To Tax Evasion [gofuckyourself.com] - Why The Unibomber was right [keithkimmel.com]
Summary: The breach was real. Scope seems to be limited ONLY to member data. Signed up? Expect some spam. Signed up with a password that you use on all your accounts? check your head, change the passwords.
Read more about our friend "minusonbit" - here - on an industry forum [gofuckyourself.com] and judge for yourself.
TMM are a bunch of lying bastards (Score:2, Informative)
Our customers are not happy.
Re:Gift Cards (Score:5, Informative)
CC information does not, repeat, does not [read: is illegal to keep] on the servers of sites.
It is maintained by the billers and processors, who thankfully, have better security.
The threat of stolen CC info is FUD by the poster.
I WROTE THE STORY. I STAND BEHIND IT 110%. (Score:2, Informative)
I am the guy who wrote the story.
I have already been threatened with a libel lawsuit by a senior executive of Too Much Media for publishing this. I published it anyway. They are still making lawsuit threats http://www.gfy.com/showpost.php?p=13561241&postcount=418 [gfy.com]. I honestly do not care about their threats, I will continue to give media interviews and I will continue to push this story out there. Because people need to know what the industry does not want to tell you.
Go ahead and do what the other poster recommends. Go to GFY and look up "minusonebit". You'll see that I am not well liked within the industry. Its a good thing I am not in the industry to make friends with people therein. I have a growing following of trolls and bashers who are trying everything to tear me down because I have told it like it is. I went to GFY to grow a venture I started. I have been around there a while and I have seen alot of BS go down but this takes the cake.
The adult industry would love to sweep this under the rug. They have already directed everyone here to try and do damage control, to vote this down or do whatever they can to keep it from spreading. I don't think thats the way it should be handled so I have spent most of the weekend making sure that this story gets out and people The industry has also been telling me how http://www.gfy.com/showpost.php?p=13561426&postcount=12 [gfy.com] this story wont last here because apparently the ownership of Slashdot has an interest in NATS.
Yes folks, people still do buy porn. Not everyone uses the torrents. But this is your credit card information that they couldn't care less about. They tried to cover it up. They are still trying to cover it up! They still have not notified the customers. Please people, flush this toilet. Write to your elected officials and your banks and demand action. This is not the first time that the industry has suffered a breach. But it hasn't been publicized like this one. This is not how all of the adult industry wants to do business. Some people want to bury this as well and have business as usual. But some of us welcome a chance to clean this mess up and restore respect to the profession.
I STAND BEHIND MY REPORT. I CHALLENGE ANYONE TO DISPROVE IT.
Re:I WROTE THE STORY. I STAND BEHIND IT 110%. (Score:2, Informative)
Re:I WROTE THE STORY. I STAND BEHIND IT 110%. (Score:5, Informative)
It's very simple: You've cast aspertions that CC data was stolen.
Post proof. We're waiting.
Anyone can go to http://www.gofuckyourself.com/forumdisplay.php?f=26 [gofuckyourself.com] an industry forum, search for 'minusonebit', and read for yourself about this guy, and the misinformation that surrounds him.
Re: The Truth (Score:2, Informative)
Re:If true, this isn't particularly surprising. (Score:5, Informative)
All in all, in countries like Germany there's a much healthier attitude to sex and the adult industry. Both consumers and providers are much better protected there.
It seems to me that in the UK in particular (which is a semi-fascist state at best anyway) the repression and legislation of the adult industry is increasing, from what was already a very repressed and intolerant level. This is not healthy, this simply makes it easier for organized crime, and incidents like this one to occur.
NATS does not have that much market penetration (Score:2, Informative)
I can personally vouch for the fact that neither BlueBlood.com [blueblood.com] nor SpookyCash.com [spookycash.com] nor any of their subsidiary or partner sites have ever implemented NATS in any way.
If, during the time of the alleged NATS security breach, you bought a membership to an adult site, the odds are that no vital data of yours was harvested. If you happened to buy from a site using NATS and anything was harvested, it was probably only your email address. Which sucks, but does not mean you need to cancel your credit cards and checking account. Some industry insiders allege that NATS knew about the data security breach and ignored it, some say NATS thought they had successfully fixed the problem, and some say there was no technical data leak and NATS people were the ones spamming. The specifics do not matter all that much to me because I don't personally use their software and I'm resigned to being spammed. Your credit card info is probably safer at an adult site than most places on the net because adult industry tends to lead technological advances in media.
I do think it is important for people to understand that a sites' members are vital for the site to continue. If you like the kind of content a site is posting, buying a membership is the most effective way to keep that kind of content being produced. It might seem like your few dollars, plus or minus, would not make that big a difference, but it really does. It is basically voting with your wallet for what you want to exist and flourish.
Re: The Truth (Score:3, Informative)
The MinusOneBit Guide to Tax Evasion [gofuckyourself.com]
And the kicker:
If You Cheat on Your Taxes and Get Away With It... Do the Right Thing... [gofuckyourself.com]
E-mail me at minusonebit@gmail.com and tell me how you did it so I can spread the tip to others.
Re: The Truth (Score:4, Informative)
Now, I've never actually bought porn before, but assuming that porn sites work like every other ecommerce site in existance, the credit card number is most certainly entered into a form that's sent to the web server of the porn site. And if the web site has been compromised by a shell account that has premissions to modify the website software (like, say, it has been), then the credit card numbers of anyone who has signed up since the breach are likely to have been stolen.
NATS, the software in question here, acts as a gateway to the payment processor. CC information is never entered or passed through NATs.
It's just the same as when you make a purchase on a website through paypal. No CC information information is ever given to the site, all they receive is a postback. That's exactly the situation here, CC data is stored on the processing servers, and is completely distinct from this mess.
It was reported that CC data was stolen, or may have been but this is entirely untrue as you can see above.
Re:LINKS NOT SAFE FOR WORK (Score:2, Informative)
So I'm posting to undo the moderation.
Re:If true, this isn't particularly surprising. (Score:1, Informative)
A hell of a lot of women don't like the idea. Maybe that's why geeks find it hard to have women stay close for long.