Registered users should “rest assured” that none of their data has been exposed, according to a statement released Thursday afternoon by the popular adult Web site YouPorn. There's still no official number on how many people were affected.
Registered users should “rest assured” that none of their data has been exposed, according to a statement released Thursday afternoon by the world's most popular adult Web site YouPorn. There's still no official number on how many people were affected by an information breach that exposed millions of user accounts.
“We’d like to stress again, none of YouPorn’s more than 4.75 Million user accounts were compromised,” said Brad Black, YouPorn’s vice president of operations. Black blamed poor security practices of a third party service provider for the breach and the media for exaggerating the number of users affected.
A thread on Flashback.org , Sweden’s largest Web forum, revealed that data for registered users of YouPorn's chat client was openly accessible until the server was taken offline on Tuesday, according to a blog entry by Anders Nilsson , a security specialist at the Scandinavian firm Eurosecure. The information contained e-mail addresses and passwords for more than one million users.
YouPorn is one of the most visited Web sites in the world. In its heyday, the site was pulling 15 million news users every month , according to a 2007 report from the Guardian. Black, in a statement (NSFW) released Thursday, says the site has 4.7 million users and that “the number of unique users affected was several thousand, not millions.”
Despite password safety rules, “a surprisingly large portion of Internet users use the same passwords for many of the services they use on the Internet, whether it is e-mail accounts, Facebook, PayPal, or other services,” Nilsson wrote.
Hackers had already started checking passwords against e-mail addresses and posting “intimate pictures” retrieved from e-mail accounts, he wrote in the blog. Once hackers get into a person’s e-mail account, they can secure even more information to launch phishing attacks or fraud operations.
Said Nilsson, “For a security professional it is baffling how coders working on a website with such sensitive content can make mistakes of this magnitude. Allegedly hundreds of megabytes of data has been secured by people with unknown goals.”
In its own investigation, YouPorn says it found that poor security practices by a third party provider resulted in user logs being left behind in a public directory. The user information was available online for an unknown amount of time after a programmer,(Nilsson questions if it was accidentally) left debug logging on to a publicly accessible URL in YouPorn’s chat client, called YP Chat, around November 2007. It’s been logging data ever since.
The data, posted on Pastebin, contained information for 6,400 users, but that was only data from 2012. “There were far more registrations during 2008-2011, and a total of unique e-mails is a little more than 1.3 million,” Nilsson said in an interview on Friday.
The hole was probably found “by someone sweeping Web sites for publicly accessible, but non-linked ('hidden') folders, looking for…both porn or sensitive material like this, and struck gold,” Nilsson wrote.
“As far as I know, and can tell, there is no link between the [YP Chat] accounts, and the accounts on the main site,” Nilsson said.
YouPorn emphasizes that it didn’t suffer a breach in security and says that even though the chat client is for YouPorn users, the YP Chat servers are operated by a third party and doesn't connect to YouPorn secure data.
“The chat service is owned and operated by a third party and is in no way associated with YouPorn.com,” he said. As soon as the breach was discovered, user access to YP Chat was blocked. He also recommended that any users who use their YP Chat login information for other accounts change their login information.
YouPorn users haven’t been shy to criticize the site for lax security in comments online that a spokesperson has been addressing both on the site and on Twitter.
Thursday afternoon, Eurosecure posted statistics from the leaked data . The top YouPorn user password was “123456,” and being used by 72,915 users. The sixth most common was “password," used by 8,380 users.
Email addresses included 239 U.S. military addresses, three U.S. government addresses, and four Australian and UK government addresses.
Eurosecure released an infographic based on the data Friday afternoon.
Infographic created by Anders Nilsson