Adult website Luscious leaked sensitive data of its 1.1 MILLION users, including full names, email addresses, and locations
- The site Luscious exposed more than 1 million users through a public database
- Email addresses, full names, likes, comments and more were accessible
- Researchers say it could expose users to doxxing, extortion, and phishing
- Luscious has closed the database but its unclear what harm was done if any
A site used to share adult content has exposed the email addresses and personal information of more than one million users, according to security researchers.
In a report from vpnMentor, researchers say 1.195 million members of the site Luscious, a forum where people share animated porn, were affected by an authentication issue that allowed access to the site’s database.
According to them, the exposure included usernames, email addresses, locations, activity logs, genders, and in some cases, full names.
Activity logs of liked pictures, videos, and comments were also available without a password, they say.
The animated porn site Luscious left more than 1 million users exposed in an unsecured database. Stock image
‘The data breach our team discovered compromises this anonymity by potentially allowing hackers to access the personal details of users, including their personal email address,’ the researchers wrote in a post.
‘The highly sensitive and private nature of Luscious’ content makes users incredibly vulnerable to a range of attacks and exploitation by malicious hackers.’
Researchers say the exposure opens users up to several types of attacks, including doxxing — the act of exposing someone’s identity publicly with malicious intent — and extortion.
‘Once a Luscious user’s identity is compromised, they can be targeted for more than just bullying,’ the say.
‘Hackers could threaten to expose users unless they pay a ransom. Given the sensitive nature of this data breach, victims are incredibly vulnerable and likely to pay.’
Alternatively, savvier bad actors might devise a phishing scam, using emails from people who were exposed to send out phony emails.
Those faked correspondences could be used to pose as businesses and trick one into downloading malware or divulging sensitive information.
Users exposed in the breach came mostly from European countries including France, Germany, Poland, and Russia with a select number using official government email addresses to register for the site.
Though the database has since been secured, its unclear if anyone’s information has or will be used maliciously. Stock image
VpnMentor says that dozens of .gov email addresses were found to be exposed by the site in addition to ‘less than 1,000’ .edu addresses.
Those addresses belong to users in Brazil, Australia, Italy, Malaysia, and Australia.
‘This adds a great deal of additional vulnerability not just to the users, but also their employers,’ they wrote.
‘With access to employee email addresses, criminal hackers can target government agencies and departments in a number of ways.’
Researchers say they discovered the unsecured server through a web mapping project on August 15 and reported it to site.
While servers were secured on August 19 it’s unclear how long the database was left open to the public and whether it resulted in any malicious attacks on Luscious’ users.
HOW TO CHECK IF YOUR EMAIL ADDRESS IS COMPROMISED
Have I Been Pwned?
Cybersecurity expert and Microsoft regional director Tory Hunt runs ‘Have I Been Pwned’.
The website lets you check whether your email has been compromised as part of any of the data breaches that have happened.
If your email address pops up you should change your password.
To check if your password may have been exposed in a previous data breach, go to the site’s homepage and enter your email address.
The search tool will check it against the details of historical data breaches that made this information publicly visible.
If your password does pop up, you’re likely at a greater risk of being exposed to hack attacks, fraud and other cybercrimes.
Mr Hunt built the site to help people check whether or not the password they’d like to use was on a list of known breached passwords.
The site does not store your password next to any personally identifiable data and every password is encrypted
Other Safety Tips
Hunt provides three easy-to-follow steps for better online security. First, he recommends using a password manager, such as 1Password, to create and save unique passwords for each service you use.
Next, enable two-factor authentication. Lastly, keep abreast of any breaches