It’s all too common for companies to leave databases chock full of sensitive information exposed to the great wide internet. But when that company operates an adult livestreaming service, and that data comprises 7 terabytes of names, sexual orientations, payment logs, and email and chat transcripts—across 10.88 billion records in all—the stakes are a bit higher.
The site is CAM4, a popular adult platform that advertises “free live sex cams.” As part of a search on the Shodan engine for unsecured databases, security review site Safety Detectives found that CAM4 had misconfigured an ElasticSearch production database so that it was easy to find and view heaps of personally identifiable information, as well as corporate details like fraud and spam detection logs.
“Leaving their production server publicly exposed without any password,” says Safety Detectives researcher Anurag Sen, whose team discovered the leak, “it’s really dangerous to the users and to the company.”
First of all, very important distinction here: There’s no evidence that CAM4 was hacked, or that the database was accessed by malicious actors. That doesn’t mean it wasn’t, but this is not an Ashley Madison–style meltdown. It’s the difference between leaving the bank vault door wide open (bad) and robbers actually stealing the money (much worse).
The mistake CAM4 made is also not unique. ElasticSearch server goofs have been the cause of countless high-profile data leaks. What typically happens: They’re intended for internal use only, but someone makes a configuration error that leaves it online with no password protection. “It’s a really common experience for me to see a lot of exposed ElasticSearch instances,” says security consultant Bob Diachenko, who has a long history of finding exposed databases. “The only surprise that came out of this is the data that is exposed this time.”
And there’s the rub. The list of data that CAM4 leaked is alarmingly comprehensive. The production logs Safety Detectives found date back to March 16 of this year; in addition to the categories of information mentioned above, they also included country of origin, sign-up dates, device information, language preferences, user names, hashed passwords, and email correspondence between users and the company.
Out of the 10.88 billion records the researchers found, 11 million contained email addresses, while another 26,392,701 had password hashes for both CAM4 users and website systems. A few hundred of the entries included full names, credit card types, and payment amounts. A message from WIRED sent to a CAM4 online portal went unanswered.
It’s hard to say exactly, but the Safety Detectives analysis suggests that roughly 6.6 million US users of CAM4 were part of the leak, along with 5.4 million in Brazil, 4.9 million in Italy, and 4.2 million in France. It’s unclear to what extent the leak impacted both performers and customers.
Again, there’s no indication that bad actors tapped into all those terabytes of data. And Sen says that CAM4’s parent company, Granity Entertainment, took the problematic server offline within a half hour of being contacted by the researchers. That doesn’t excuse the initial error, but at least the response was swift.
Moreover, despite the sensitive nature of the site and the data involved, it was actually fairly difficult to connect specific pieces of information to real names. “You really have to dig into the logs to find tokens or anything that would connect you to the real person or anything that would reveal his or her identity,” says Diachenko. “It should not have been exposed online, of course, but I would say it’s not the scariest thing that I’ve seen.”
How Bad Is It?
Which is not to say that everything’s totally fine. If anyone were to have done that digging, they could have found out enough about a person—including sexual preferences—to potentially blackmail them. On a more mundane level, CAM4 users who reuse their passwords would be at immediate risk for credential stuffing attacks, potentially exposing any accounts where they don’t use strong, unique credentials.
Or consider the inverse: If you have the email address of a CAM4 user, Sen says, there’s a decent chance you can find an associated password from a previous data breach, and break into their account.
The data in the leak could have potentially put CAM4 at risk, as well; privileged fraud and spam detection information would have given potential attackers a road map for how to get around those defenses.
Data leaks happen. They’re not as bad as breaches, but with information this sensitive, the onus is on companies to take every precaution to protect it—not the bare minimum.
More Great WIRED Stories