An unprotected database for the adult live-streaming website CAM4 has left millions of people’s personal information available to the public and could be used by criminals to commit fraud.
Information left insecure on the website's database includes first and last names, email addresses, gender and sexual orientation, device information, payment logs including credit card types, transcripts of emails, IP addresses and password hashes, researchers said.
Password hashes are converted passwords – written as strings of incomprehensible characters – that are supposed to be converted back to readable text.
According to a team of researchers from Security Detective a 7TB database contained over 10.88 billion records dating back to 16 March.
US, Brazilian and Italian users were the worst affected, although the exact scale of the vulnerability is difficult to know as multiple entries were duplicated.
Most concerning were the few hundred cases where full names, credit card types, and payment information were grouped together, as that information used together could be used by to get access to even more sensitive information.
Many of the emails were from major domain names such as Gmail, iCloud, and Hotmail.
It is unclear how the information left vulnerable relates between models and content viewers, as everyone with a CAM4 account can broadcast if they choose to, and the researchers were not able to differentiate between performers and viewers.
The breach also had information related to fraud and spam detection, which means that hackers could have had greater insight into the live-streaming site’s security defences.
The researchers said that the logs enable hackers to see how security systems have been set up and “could be used as an ideal verification tool for malicious hackers, as well as, enabling a greater level of server penetration. Moreover, website backend data could be harnessed to exploit the website and create threats including ransomware attacks.”
“Possibly the greatest risk in both financial and reputational respects is the risk of blackmail scams that could be deployed against users who believe they are anonymous when sharing compromising data and content,” the researchers continued.
This is not the only instance where an adult site has left its users’ personal information insecure. Affair website Ashley Madison infamously had 37 million personal records accessed by hackers who threatened to reveal the data if the site was not shut down.
Other services, including the Marriott hotel chain, British Airways, and Uber have also exposed users’ private data in the past.
