It is common for companies and sites to leak sensitive data, people would say! But not typical for a company that deals in adult live-streaming service, and when the data comprises of 7 terabytes of names, sexual orientations, payment logs, and email and chat transcripts!
Adult cam site CAM4 is a popular adult platform that deals in “free live sex cams.” As part of a survey by the security review site Safety Detectives, it found that CAM4 had falsely configured a production database which made it easier to find heaps of personal information, in addition to substantial corporate details like frauds.
According to CAM4, the actual number of people who could have been identified was much smaller than the exposed records. Kevin Krieg, technical director of Smart-X, which manages the CAM4 database, stated, ‘the payout information could have easily exposed 93 people, including performers and customers if a breach would have occurred.’ Safety Detectives put the number at “a few hundred.”
The mistake that the site CAM4 made isn’t unique. Server hack ups leading to data leaks are a regular thing. What happens is that the data is for internal use only, but some person makes a configuration error and leaves it online with no password protection. This leads to the leaking of the information. The list of data that CAM4 leaked out is alarmingly comprehensive. The production logs that investigators from Safety Detectives found dated back to March 16, 2020, in addition to sensitive information. Out of the total 10.88 billion records the researchers found, 11 million contained email addresses, while another 26,392,701 had password hashes for both CAM4 users and website systems.
“The server in question was a log aggregation server from a bunch of different sources, but the server was considered non-confidential,” says Krieg. “The 93 records entered the logs because of developer’s mistake who was looking to debug an issue, but accidentally logged those records when an error happened to that log file.”
The Affected Lot
According to the Safety Detectives analysis, around 6.6 million US users of CAM4 were part of the leak, along with 5.4 million in Brazil, 4.9 million in Italy, and 4.2 million in France. CAM4’s parent company, Granity Entertainment, took the problematic server offline within half an hour of being contacted by the researchers, but the damage is already done by then!
The leak is real bad. If a user had dug the leaked information, they would have found out enough about a person, including the person’s sexual preferences, to blackmail them. Also, CAM4 users who often reuse their passwords would be at immediate risk for credential stuffing attacks, which mean the accounts would be exposed where users don’t use strong, unique credentials.
In a reverse situation, if a person has the email address of a CAM4 user, they would be able to find an associated password from a previous data breach and break into their account. The leaked data could have put adult cam site CAM4 at risk. Krieg stated that CAM4 had taken steps to prevent a repeat of the data leak. “It’s a server that should not have an outward-facing IP in the first place. We are going to move it to the internal LAN, so it becomes harder for people to get access to this type of server. We will make sure that nothing is on it that should not be on it, which includes any personally identifiable information’, he said.