Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Databases Privacy The Internet

An Adult Cam Site Exposed 10.88 Billion Records (wired.com) 73

CAM4, a popular adult platform that advertises "free live sex cams," misconfigured an ElasticSearch production database so that it was easy to find and view heaps of personally identifiable information, as well as corporate details like fraud and spam detection logs. According to Wired, the database exposed 7 terabytes of names, sexual orientations, payment logs, and email and chat transcripts -- 10.88 billions records in all. From the report: First of all, very important distinction here: There's no evidence that CAM4 was hacked, or that the database was accessed by malicious actors. That doesn't mean it wasn't, but this is not an Ashley Madison-style meltdown. It's the difference between leaving the bank vault door wide open (bad) and robbers actually stealing the money (much worse). [...] The list of data that CAM4 leaked is alarmingly comprehensive. The production logs Safety Detectives found date back to March 16 of this year; in addition to the categories of information mentioned above, they also included country of origin, sign-up dates, device information, language preferences, user names, hashed passwords, and email correspondence between users and the company.

Out of the 10.88 billion records the researchers found, 11 million contained email addresses, while another 26,392,701 had password hashes for both CAM4 users and website systems. A few hundred of the entries included full names, credit card types, and payment amounts. Who's Affected? It's hard to say exactly, but the Safety Detectives analysis suggests that roughly 6.6 million US users of CAM4 were part of the leak, along with 5.4 million in Brazil, 4.9 million in Italy, and 4.2 million in France. It's unclear to what extent the leak impacted both performers and customers.
The report says CAM4's parent company, Granity Entertainment, took the server offline within a half hour of being contacted by the researchers.
This discussion has been archived. No new comments can be posted.

An Adult Cam Site Exposed 10.88 Billion Records

Comments Filter:
  • Earth has ~7B people. Where are the ~4B illegal aliens watching porn from?
    • That just means their entire database was exposed to the world. Each entry in the database counts as a record.

      Seriously, learn to use a firewall and VPN and this will never be a problem for you. For bonus points, every once in a while do a nmap/port scan of your own hosts.
      • by arglebargle_xiv ( 2212710 ) on Wednesday May 06, 2020 @07:17AM (#60027828)

        Seriously, learn to use a firewall and VPN and this will never be a problem for you.

        A far more important one is: Don't log everything in the entire universe ever and keep the records forever. Friend of mine helped run a pr0n site in the 90s and if they'd been compromised the only thing on there was a salted iterated password hash and some encrypted site prefs that even if they were decrypted were meaningless binary blobs unless you had the whole site there to apply them to (I think it was a binary dump of some in-memory data structure).

        The problem wasn't the exposure, it was that they were recording and keeping forever a vast mass of crap whose only real practical use was blackmail if/when it got leaked.

        • When I read the summary I got confused. Do people actually give this information to sleezy porn sites? Wow, talk about naive.
        • Seriously, learn to use a firewall and VPN and this will never be a problem for you.

          A far more important one is: Don't log everything in the entire universe ever and keep the records forever.

          Or just don't go to skeevy camgirl sites. Try, oh, I dunno, talking to real girls.

          • by lgw ( 121541 )

            Try, oh, I dunno, talking to real girls.

            C'mon, this is Slashdot, let's stay within the bounds of meaningful possibility. Where the open source porn?

      • by Anonymous Coward

        Seriously, learn to use a firewall and VPN and this will never be a problem for you. For bonus points, every once in a while do a nmap/port scan of your own hosts.

        Seriously if you think this is ALL YOU NEED TO DO to avoid these problems, you are part of the problem.

        The problem here was a misconfigured ElasticSearch instance, that likely DID need to be exposed to the internet.

        Firewalls and port scans are basic shit for a network administrator. It's the equivalent of putting your seatbelt on in a Formula 1 c

      • by reanjr ( 588767 )

        The blame also lies with ElasticSearch for being insecure by design. The vast majority of server software has their own security mechanism so this doesn't happen.

        The story says it was misconfigured, which implies someone changed the config to make it that way. But that's probably not what happened here.

        • by Xenna ( 37238 )

          Elastic has no password protection by default but only listens on localhost IIRC. If you change the latter and keep the former you might have a bit of a problem.

          • Until recently, it didn't even support authentication.

            And it's cluster software. It's not like you can effectively run ES on localhost.

            Like all software that treats security as an add-on, ElasticSearch servers will continue to be compromised at alarming rates until everyone wises up and abandons itd

        • by rho ( 6063 )

          The blame also lies with ElasticSearch for being insecure by design

          The blame also lies with the entire "cloud" industry that has, for unknown reasons, convinced a generation of developers and C-level suits that the "cloud" is inherently secure. Entire dotcom businesses have been created to convince people to move to the cloud rather than hire competent system administrators to manage their incredibly important and vital IT infrastructure. Instead, they migrate to the "cloud," where it's SCALABLE! and SECURE!

          When you build your system on somebody else's computer using someb

          • by lgw ( 121541 )

            At the beginning of my career:

            These new-fangled client-server architectures are just a nightmare. Entire shady businesses have been created to convince people to move to Unix systems rather than hire competent mainframe administrators to manage their incredibly important and vital IT infrastructure, Instead they migrate to "servers," where it's SCALABLE! and SECURE!

            At the end of my career:

            The blame also lies with the entire "cloud" industry ... Entire dotcom businesses have been created to convince people to move to the cloud rather than hire competent system administrators to manage their incredibly important and vital IT infrastructure. Instead, they migrate to the "cloud," where it's SCALABLE! and SECURE!

            The world has moved on from your old paradigm. Sorry, buddy, it's not going back. Just learn how to secure the new

            • by rho ( 6063 )

              The world hasn't moved on from the old paradigm. It's the same paradigm, only now you pay Amazon monthly fees instead of hiring and training your own team.

              Virtualization of resources isn't the problem. Contracting out your critical infrastructure is the problem. It's not like contracting out your grounds maintenence. Once you choose a "cloud" provider, you're pretty much stuck with them. Moving elsewhere is hard and expensive. I'm surprised you don't understand this.

              • by lgw ( 121541 )

                And yet, back in the day what you're complaining about is how all of IT worked. Oh, it was called "the mainframe" instead of "the cloud", but why would you want your own computer, when terminals are cheap and low-maintenance? That worked well for decades, then everything shifted the other way for decades, now it's shifting back.

                I notice you seem to think that "hiring and training your own team" is good. Why would e.g. a tire company want or need that specialty? They don't, which is why it's almost alway

        • The blame also lies with ElasticSearch for being insecure by design. The vast majority of server software has their own security mechanism so this doesn't happen.

          Databases are not designed to be secure, unfortunately. Their programmers are not focused on that in the same way SSH devs are (for example). If you have your database on the open internet and not behind a VPN, you are at risk for something like this (so basically everyone on Heroku).

    • Record count != distinct people.

      • For comparison of scale, 10B records seems like a lot when you consider there are only 7B people and IPv4 only covers 4B unique IPs (many of them which cannot be allocated).

        Just on the size, I think we can infer that each record is not an account, but a visit to the site or maybe even a download of a video. Then 10B seems like a paltry amount, perhaps only a month's worth of "records".

    • by Zocalo ( 252965 )
      I'm guessing it was a relational DB (or collection of them). One person could then have multiple records in the "payments" table, in the "preferences" table, etc. They seem to think that only 6.6m US users were affected, so that works out at several hundred records for the average user which is probably about right given there's probably some kind of viewing history in there as well.

      Also, since some humans apparently get off on tentacle porn, maybe there are sentient alien octopii that get off on human
    • Well, obviously everyone thinks Earth girls are hot.
  • Who would use their real name to create an account on a sexcam site?

    It would be interesting to know the average IQ of people dumb enough to do that.

    Of the estimated 20 million accounts, the summary says only a few hundred had records of CC transactions. Even some of those may be the anonymous Visa cards you can buy for cash at Walmart.

    • It would be interesting to know the average IQ of people dumb enough to do that.

      Several?

    • Re: Real names? (Score:4, Informative)

      by SleepingEye ( 998933 ) on Wednesday May 06, 2020 @04:11AM (#60027540)
      How else would the common person pay for requests and tips?
    • by AmiMoJo ( 196126 )

      In the scheme of things paying for some porn with your credit card isn't a bit deal. I mean people have been buying porn mags for decades, often in person. And many more soft porn "lads mags".

      The real idiots are the ones who signed up to Ashley Madison after it had already been hacked.

      • The thing with these cam sites, especially for those of us not from puritanical nations, is that they are mostly used by people who can't go to a strip club or prostitute to get their rocks off. Men who are married or in long term relationships, high profile professions (politicians, clergymen, et Al) and people who are too lecherous that they've been banned from even the dodgiest cathouse. OK, there will be a few who genuinely get off on watching, and we dont judge these folk but mostly it's married men lo
      • by Tom ( 822 )

        The real idiots are the ones who signed up to Ashley Madison after it had already been hacked.

        Are they?

        You could be convinced that a 2nd hack is less likely and more importantly - less interesting. The first AD data was certainly spread widely. If you came a year later saying that you basically have the same thing plus a few updates... well, yeah... take a number.

        • I don't do banking on a computer that had malware once in its life, I apply a similar rule to websites.

          • by Tom ( 822 )

            Ok, you need to read "General Semantics" by Alfred Korzybski, because you're mixing so many things there that are at different levels of abstraction.

            Malware and data leaks are not the same thing when it comes to persistence. And a website and a physical device are not the same thing, either. My personal website, for example, has been on the same domain for over 20 years. Some of its content is nearly as old. However, it has changed the physical hardware it runs on and the geographic location that hardware c

    • by sosume ( 680416 )

      For their cam models it is mandatory to provide a photo ID with age to prevent lawsuits (potentially underage models). Also required to process payments from users to the models.

    • How else will a porn star find them in real life?

    • Who would use their real name to create an account on a sexcam site?

      Why not? They are a legitimate business provider who has to comply with the same laws any other business in Canada does.
      And let's face it, having someone know that you watched someone else masturbate doesn't come with the same kind of stigma as say declaring yourself a member of the republican party.

  • by phantomfive ( 622387 ) on Wednesday May 06, 2020 @02:44AM (#60027364) Journal
    Under the CCPA the fines for releasing PII can be so huge (up to $2500 per user) that releasing an entire database like that could be death to any average sized company. If you have a million users and their PII gets released, how much is that?

    If you are based in California, check your firewall tonight.
  • It would maybe be controversial. I would never check any of my friends email addresses, I promise =)
    • If that's the site I'm thinking of, they send their results to the email address being checked.

      • by fennec ( 936844 )
        No, they give the result directly in the page. But you're fine it looks like you've just been pwned on MyFitnessPal!
  • That's my only question here.

    Seriously, is there really 10.88 billions records for cam porn?

    • Seriously, is there really 10.88 billions records for cam porn?

      It says it includes the chat scripts, which will mean these records contain all the messages people left there while watching the videos.

  • for horn, for horn, for horn:
    https://www.youtube.com/watch?... [youtube.com]

    10 TB -> Amateurs ofc
    Actually, archive.org will have a "hard" time archiving all live streams from the various platforms.

  • This post contains 30 records.
  • by jellomizer ( 103300 ) on Wednesday May 06, 2020 @08:13AM (#60027940)

    Part of the problem, is nearly everyone has sexual ambitions. However our cultures make it seem like this is a really bad thing. However nearly everyone alive (Ok there are some artificial methods that came up in the last few decades) today is because their biological parents had sex at least once.

    If someone is caught watching porn on their personal time, then it should be treated like when someone makes a smelly poo in the bathroom. Just realizes that it happens and try not to embarrass the person and mostly just ignore it.

  • by bugs2squash ( 1132591 ) on Wednesday May 06, 2020 @08:25AM (#60027964)
    Isn't the whole point of the site to expose things usually kept private.
  • SELECT COUNT(*) FROM accounts WHERE lastname = 'Trump';

    2.8 billion records returned.

    ... Ah, that explains it....
  • It's not like millions of records of license-plate cameras were compromised.

    Oh wait [slashdot.org].

  • 8008 8008 (Score:4, Funny)

    by Impy the Impiuos Imp ( 442658 ) on Wednesday May 06, 2020 @09:22AM (#60028166) Journal

    Well thank god I never signed up, so they can't find my penchant for women whose breasts hang down to their bellybutton.

    Oop, almost forgot to check the anon box, lol! Can you imagine?

  • by Anonymous Coward

    Which records were 78s, 33s, or 45s.

Algebraic symbols are used when you do not know what you are talking about. -- Philippe Schnoebelen

Working...