author photo
By SecureWorld News Team
Thu | Nov 18, 2021 | 3:03 AM PST

Whether you are for it or against it, online sex work is a major industry and statistics show millions of users are accessing adult sites like PornHub each year.

With that much user traffic, security and privacy measures need to be tight to protect both customers and cam models alike. 

A recent case brings this to light. It involves a site called Stripchat. The exposure may have gone too far, even for a live entertainment website. 

Bob Diachenko, Cyber Threat Intelligence for Comparitech, discovered Stripchat's website exposed more than 65 million people's information through the ElasticSearch database cluster. 

Further, the data could be accessed without a password and was available for more than three days. 

Consequences of the data leak: stalking, harassment, and more

This is a nightmare scenario with so much sensitive information on the line, according to Diachenko.

"The exposure could pose a significant privacy risk for both Stripchat viewers and models. If the data was stolen, they could face harassment, humiliation, stalking, extortion, phishing, and other threats both online and offline."

For 65 million viewers, Diachenko uncovered email address, username, IP address, internet service provider, tip balance, timestamp of account creation and last activity, and more.

The models of the site—412,000 records in total— were also probable victims. Username, gender, studio ID, live status, tip menus and pricing, and their "StripScore," meaning the model's ranking on the site, had been exposed. 

In addition, 719,000 public and private messages sent to models could also be accessed. 

The possibilities of what could happen if this information falls, or fell, into the wrong hands is terrifying. 

"The exposure could be a digital and physical threat for both Stripchat viewers and models. IP addresses, which can be used to approximate someone’s location, are particularly worrying. They could enable someone to find and stalk, harass, or even assault someone in the database.

Aside from physical violence, the identifying information could be used to extort, bully, or humiliate victims who thought their online activities were private," Diachenko said. 

As evidence of the humiliation a data breach like this could cause, police in Mumbai, India arrested suspects connected to a Stripchat sextortion ring. The suspects were blackmailing victims through information accessed on the adult site. However, it is not clear if this was related to Diachenko's discovery. 

Investigation into Stripchat data exposure

After the data exposure was uncovered, Diachenko says he reported it to Stripchat. 

He shared this timeline of the incident:

  • November 4, 2021 – The database was indexed by search engines.
  • November 5, 2021 – Diachenko discovered the database, determined the owner, and sent an alert to Stripchat per our responsible disclosure policy.
  • November 7, 2021 – The database was no longer available.

While the database is now secured, Diachenko says those exposed in this should watch for indicators they are a target. 

"...victims should be on the lookout for targeted phishing emails from fraudsters posing as Stripchat or a related company. Never click on links or attachments in unsolicited emails."

Read the full details of Diachenko's discovery on LinkedIn

Resources

SecureWorld's West Coast Virtual Conference is open for registration. Topics will span topics from launching a privacy program to creating a culture of security at your organization. 

Tags: Data Breach,
Comments