The two forums are EscortForumIt.xxx and Hookers.nl -- serving sex workers and customers in Italy and the Netherlands, where prostitution is legal.
Both forums have confirmed the breaches this week.
vBulletin zero-day strikes again
Both were running outdated versions of the vBulletin forum software. The hacker told ZDNet this week in an email that he used a vBulletin zero-day (CVE-2019-16759) disclosed at the end of September to breach the two sites.
The hacker is now selling the data on a publicly-available hacking forum. Stolen data includes usernames, email addresses, and password hashes -- obtained from both forums, with 33k records from the Italian one, and 300k from the Dutch one.
According to a sample of the data obtained by ZDNet, in the case of the Dutch forum, the hacker also appears to have gained access to the site's internal paid subscription system, although there was no financial information included in the sample we received.
The hacker is selling user data from these four, along with the user databases for 10+ other vBulletin-based forums.
Blackmail cannon fodder
While this data is being sold now, this type of information usually finds its way into the public domain at one point or another.
When that happens, users with accounts on the three adult-themed sites will be vulnerable to blackmail attempts. This is not a hypothetical scenario. These types of extortion campaigns have happened in the past, especially after the Ashley Madison data breach.