Adult live streaming website CAM4 exposed over 7TB of personally identifiable information (PII) of members and users, stored within more than 10.88 billion database records.
The sensitive data was leaked after one of the site’s production databases was left open to Internet access on a misconfigured Elasticsearch cluster, with records dating back to March 16, 2020.
CAM4 has around 2 billion visitors each year and its members are streaming more than 1 million hours of adult content every week, with over 75,999 private shows being broadcast on a daily basis.
Exposed private chats and IP addresses
The CAM4 unsecured database was discovered by a Security Detectives team lead by security researcher Anurag Sen and it was immediately taken down by Irish parent company Granity Entertainment after the leak was reported.
The records contained a wide range of PII in various combinations and included anything from names, sexual orientation, and emails to IP addresses, email message transcripts, and private conversations between users.
After analyzing the exposed database, the researchers discovered that it contained:
• First and last names
• Email addresses
• Country of origin
• Sign-up dates
• Gender preference and sexual orientation
• Device information
• Miscellaneous user details such as spoken language
• Payments logs including credit card type, amount paid and applicable currency
• User conversations
• Transcripts of email correspondence
• Inter-user conversations
• Chat transcripts between users and CAM4
• Token information
• Password hashes
• IP addresses
• Fraud detection logs
• Spam detection logs
Furthermore, 11 million out of the almost 11 billion records found in the exposed logs also contained at least one email address from a variety of email providers including but not limited to gmail.com, icloud.com, and hotmail.com.
Millions exposed from the US, Brazil, Italy, France, and more
CAM4’s unsecured database was also analyzed to get a sense of how many users were exposed per country and, based on the results, over 6.5M of them were U.S. residents.
Over 5.3 million Brazilians and 4.8 million Italians also had their PII exposed in the incident, with records of French and German users also being found in the millions (i.e., 4.1 million and 3 million, respectively).
“The security team also discovered 26,392,701 entries with passwords hashes with a proportion of hashes belonging to CAM4.com users and some from website system resources,” the researchers said.
“Altogether, a ‘few hundred entries’ revealed full names, credit card types and payment amounts. The combination of all three is a critical aspect — as opposed to having limited access to just payment amounts without full names — because in unison they create a far greater security risk compared to just one or two information points in isolation.”
The PII data exposed via this poorly configured Elasticsearch cluster could potentially be used by attackers as part of a wide array of attacks targeting of CAM4 users and members, ranging from highly convincing spear-phishing attacks and blackmail campaigns to identity theft and various types of fraud.
Last week, French daily newspaper Le Figaro also exposed approximately 7.4 billion records containing personally identifiable information (PII) of reporters and employees, and of at least 42,000 users on a publicly-facing misconfigured Elasticsearch server.
Adult site leaks can be devastating for members
Data leaks affecting users and member of adult sites can be even more devastating given the highly sensitive nature of the information that gets exposed.
For instance, members of Canadian online dating and social networking site Ashley Madison are still being targeted in blackmail and sextortion campaigns threatening to expose them using information stolen after a data breach that took place in 2015.
And this is not even the biggest problem users of such platforms have to face after a data leak since scammers will also attack their spouses using highly targeted blackmail messages as it happened to spouses of Ashley Madison users in 2016.
To make matters even worse, there are known cases of such scam campaigns leading to the targeted individuals taking their own lives as shown by a New Orleans pastor who committed suicide after the hackers behind the Ashley Madison breach exposed his name online.
Properly securing ElasticSearch clusters
Misconfigured and unsecured ElasticSearch servers are still regularly being found by security researchers online each day despite Elastic Stack’s core security features becoming free since May 2019.
While ElasticSearch’s dev team explained in December 2013 that Elastisearch servers should ????never be accessible from the Internet but instead configured for local access only, admins often forget this and expose highly sensitive data publicly, with no proper security controls.
Elastic NV advises database admins to secure their ElasticSearch clusters by “preventing unauthorized access with password protection, role-based access control, and IP filtering,” as well as by setting up passwords for built-in users.
On Elastic NV’s documentation website, admins can also find a quick step by step guide on how to properly secure ElasticSearch clusters before deployment.