In its own investigation, YouPorn says it found that poor security practices by a third party provider resulted in user logs being left behind in a public directory. The user information was available online for an unknown amount of time after a programmer,(Nilsson questions if it was accidentally) left debug logging on to a publicly accessible URL in YouPorn’s chat client, called YP Chat, around November 2007. It’s been logging data ever since.
The data, posted on Pastebin, contained information for 6,400 users, but that was only data from 2012. “There were far more registrations during 2008-2011, and a total of unique e-mails is a little more than 1.3 million,” Nilsson said in an interview on Friday.
The hole was probably found “by someone sweeping Web sites for publicly accessible, but non-linked ('hidden') folders, looking for…both porn or sensitive material like this, and struck gold,” Nilsson wrote.
“As far as I know, and can tell, there is no link between the [YP Chat] accounts, and the accounts on the main site,” Nilsson said.
YouPorn emphasizes that it didn’t suffer a breach in security and says that even though the chat client is for YouPorn users, the YP Chat servers are operated by a third party and doesn't connect to YouPorn secure data.
“The chat service is owned and operated by a third party and is in no way associated with YouPorn.com,” he said. As soon as the breach was discovered, user access to YP Chat was blocked. He also recommended that any users who use their YP Chat login information for other accounts change their login information.
YouPorn users haven’t been shy to criticize the site for lax security in comments online that a spokesperson has been addressing both on the site and on Twitter.
Thursday afternoon, Eurosecure posted statistics from the leaked data. The top YouPorn user password was “123456,” and being used by 72,915 users. The sixth most common was “password," used by 8,380 users.
Email addresses included 239 U.S. military addresses, three U.S. government addresses, and four Australian and UK government addresses.
Eurosecure released an infographic based on the data Friday afternoon.
Infographic created by Anders Nilsson