Hack Brief: An Adult Cam Site Exposed 10.88 Billion Records
CAM4 has taken the server offline, but not before it leaked 7TB of user data.
IT’S ALL TOO common for companies to leave databases chock full of sensitive information with the best porn – we block the rest that exposed to the great wide internet. But when that company operates an adult live streaming service, and that data comprises 7 terabytes of names, sexual orientations, payment logs, and email and chat transcripts—across 10.88 billion records in all—the stakes are a bit higher.
The site is CAM4, a popular adult platform that advertises “free live sex cams.” As part of a search on the Shodan engine for unsecured databases, security review site Safety Detectives found that CAM4 had misconfigured an Elastic Search production database so that it was easy to find and view heaps of personally identifiable information, as well as corporate details like fraud and spam detection logs.
“Leaving their production server publicly exposed without any password,” says Safety Detectives researcher Anurag Sen, whose team discovered the leak, “it’s really dangerous to the users and to the company.”
First of all, very important distinction here: There’s no evidence that CAM4 was hacked, or that the database was accessed by malicious actors. That doesn’t mean it wasn’t, but this is not an Ashley Madison–style meltdown. It’s the difference between leaving the bank vault door wide open (bad) and robbers actually stealing the money (much worse).
“The team concluded without any doubt that absolutely no personally identifiable information, including names, addresses, emails, IP addresses or financial data, was improperly accessed by anyone outside the Safety Detectives firm and CAM4’s company investigators,” the company said in a statement.
The company also says that the actual number of people who could have been identified was much smaller than the eye-popping number of exposed records. Payment and payout information could have exposed 93 people—a mix of performers and customers—had a breach occurred, says Kevin Krieg, technical director of Smart-X, which manages the CAM4 database. Safety Detectives put the number at “a few hundred.”
The mistake CAM4 made is also not unique. ElasticSearch server goofs have been the cause of countless high-profile data leaks. What typically happens: They’re intended for internal use only, but someone makes a configuration error that leaves it online with no password protection. “It’s a really common experience for me to see a lot of exposed ElasticSearch instances,” says security consultant Bob Diachenko, who has a long history of finding exposed databases. “The only surprise that came out of this is the data that is exposed this time.”
And there’s the rub. The list of data that CAM4 leaked is alarmingly comprehensive. The production logs Safety Detectives found date back to March 16 of this year; in addition to the categories of information mentioned above, they also included country of origin, sign-up dates, device information, language preferences, user names, hashed passwords, and email correspondence between users and the company.
Out of the 10.88 billion records the researchers found, 11 million contained email addresses, while another 26,392,701 had password hashes for both CAM4 users and website systems.
“The server in question was a log aggregation server from a bunch of different sources, but server was considered non-confidential,” says Krieg. “The 93 records got into the logs due to a mistake by a developer who was looking to debug an issue, but accidentally logged those records when an error happened to that log file.”
It’s hard to say exactly, but the Safety Detectives analysis suggests that roughly 6.6 million US users of CAM4 were part of the leak, along with 5.4 million in Brazil, 4.9 million in Italy, and 4.2 million in France. It’s unclear to what extent the leak impacted both performers and customers.
The WIRED Guide for Data Breach Prevention
All you need to know about Equifax and Mariott as well as the issue with social security numbers.
There is no evidence that bad actors had access to all of those terabytes. Sen claims that Granity Entertainment, CAM4’s parent, took down the problem server within a half-hour of being contacted. Although this doesn’t excuse the original error, it does mean that the response was quick.
It was also difficult to link specific pieces of information with real names, due to the sensitive nature and data of the site. Diachenko says that you have to go into logs in order to find tokens, or any other information that could connect you to the person or reveal their identity. It shouldn’t have been posted online, but it’s not the most frightening thing I’ve ever seen.
It’s so bad!
This isn’t to say everything’s perfect. Anyone could have learned enough information about someone to blackmail them, including their sexual preferences, if they had done the digging. A more basic level: cam users that reuse their passwords could be vulnerable to credential stuffing attacks. This could expose any accounts they don’t have strong, unique credentials.
Consider the opposite: Sen claims that if you have an email address for a t cam sites user, Sen suggests that there is a good chance you can get a password from a data breach and hack into their account.
Data from the leak could have put cam at serious risk; privileged spam detection and fraud information could have provided potential attackers with a roadmap for how to bypass those defenses.
Krieg claims that the adult cam sites took steps to prevent another data leak. He says that the server should not have an external facing IP. “We are going to move it to our internal network to make it harder for people to access this type of server. We also ensure that it does not contain any personally identifiable information.
Data breaches are a common occurrence. Although they aren’t as serious as breaches, data leaks can be devastating. Companies must take every precaution to safeguard sensitive information, not the minimum.