The popular adult live streaming website CAM4 exposed over 10.88 billion database records containing a total of 7TB of personally identifiable information (PII) of its members and users.
The data leak is the result of the accidental exposure of an Elasticsearch cluster managed by the company, the records date back to March 16, 2020.
CAM4 is a live streaming website featuring live webcam performances, filtered by female, male, transgender, or couples of primarily amateur performers. Granity Entertainment owns the site that has around 2 billion visitors each year.
The exposed cluster was discovered by the SafetyDetectives research team lead by Anurag Sen that reported the issue to Granity Entertainment, which quickly took down it.
“Our security research team, led by Anurag Sen, has discovered a significant data leak stretching into billions of records at adult live-streaming website CAM4.com, belonging to Irish company Granity Entertainment.” continues the report.
“The server’s database size exceeded 7 terabytes with production logs dating from 16 March 2020 and increasing daily. The unsecured Elastic Search database included a significant amount of both user and company information with the vast majority of email data records referring to users in the US.”
Exposed records included a huge trove of information, including names, sexual orientation, emails to IP addresses, email message transcripts, and private conversations between users.
Experts pointed out that millions of PII entries were left open online, including:
In total, around 11 million records contained at least one email address from a variety of email providers (i.e. gmail.com, icloud.com, and hotmail.com).
Most of the exposed records belong to users from US (6,5M+), Brazil (5,3M+), Italy (4,8M+), and France (4,1M+).
“US, Brazilian and Italian users were the most heavily affected although the precise number of email records is difficult to gauge accurately due to multiple entries being duplicated. As expected, countries such as the UAE, Saudi Arabia and Iran all had zero entries given the fact that these countries ban adult content domestically.” continues the report.
“The security team also discovered 26,392,701 entries with passwords hashes with a proportion of hashes belonging to CAM4.com users and some from website system resources.”
A ‘few hundred entries’ also included full names, credit card types, and payment amounts. An attacker could use this information to carry out sophisticated phishing attacks and scams.
“Possibly the greatest risk in both financial and reputational respects is the risk of blackmail scams that could be deployed against users who believe they are anonymous when sharing compromising data and content.” concludes the post.
Please vote Security Affairs for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
(SecurityAffairs – CAM4, hacking)