Adult website data leak connected private users to content uploads

An open database provided full access to user emails and the content they uploaded, liked, and shared.
Written by Charlie Osborne, Contributing Writer

An adult content-sharing website exposed user data and left them vulnerable to a range of attacks, researchers say. 

On Monday, vpnMentor's research team, led by cybersecurity professionals Noam Rotem and Ran Locar, said that Luscious was subject to a data breach that gave the team access to 1.195 million user accounts.

Luscious is used to share niche pornographic material, including computer-generated graphics and animations. The website is similar to a Tumblr setup, in which the main page includes a newsfeed with the latest content uploaded or updated by users. 

See also: Threesome app exposes user data, locations from London to the White House

According to the team, an authentication failure on the website allowed for unfettered access to all user accounts hosted by the Luscious database. Usernames, personal email addresses, locations, activity logs, genders, and some full names -- exposed through the private email addresses -- were available. 

The team was also able to view user activity in great detail, including their video and image album uploads, likes, comments, userIDs, followers, and blog posts. 

"Some of these blog posts were extremely personal -- including depressive or otherwise vulnerable content -- and kept anonymous," vpnMentor says. "Due to this data breach, however, the blog posts are no longer anonymous, with many of the authors' identities revealed."

It is estimated that up to 20 percent of the Luscious accounts use throwaway or fake email accounts, but this still leaves roughly 800,000 legitimate email addresses and private profiles exposed. 

CNET: Google tightens grip on some Android data over privacy fears, report says

Based on their leaked email addresses, many users involved in the breach come from France, Germany, Russia, and Poland. Interestingly, a number of official government email addresses were also used to sign up, including those from Brazil, Australia, Italy, Malaysia, and Australia. 

The data breach potentially had serious consequences by connecting legitimate email account holders to Luscious profiles and content which should have been kept anonymous. Should adult website activity be linked to yourself, a friend, family member, or employer, these links could be exploited by attackers coercively.

Bullying and harassment, blackmail payments based on the threat of exposure, and phishing could all occur due to data breaches of this nature. 

TechRepublic: How to prevent data destruction from cybersecurity attacks

vpnMentor discovered the Luscious data breach on August 15. The website's operators reacted promptly and the security hole was fixed on August 19. However, the team noted that it is not known how long the user accounts were vulnerable, and so cyberattackers may have extracted profile data before the data breach closure. 

Earlier this month, researchers disclosed a security breach impacting 3Fun, an adult dating and encounters mobile application. A data leak exposed the specific locations of those seeking such encounters, as well as their dates of birth, sexual preferences, chat logs, and private pictures. 

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards