1.2 million private user data leaked on eight adult websites

Posted by trammel at 2020-03-12

The database at the bottom of wife lovers was attacked - a website dedicated to publishing naked and erotic information about wives, putting users' private information and photos belonging to their wives at risk, exposing more than 1.2 million unique private information such as email addresses and user passwords.

Data leakage

Over the weekend, it was found that data was leaked from within lovers and seven sister adult websites, eight of which were attacked due to an attack on the same 98 MB database they relied on. The database only protects user information through simple and easy to crack, outdated hash technology (called decrypt algorithm).

Other websites:

Violation information includes:

Robert Angelini, owner of and seven other data disclosure sites, told ARS on Saturday morning that fewer than 107000 people had posted to them in the 21 years they had been in business. He said he did not know why the nearly 98 megabyte file contained more than 12 times the number of users' e-mail addresses, and it was not clear whether all e-mail addresses belonged to legal users.

Website closed

Three days after receiving the hacker's notice, Angelini finally confirmed the leak and canceled the sites on Saturday morning. He also issued a notice on closed sites warning users to change their passwords elsewhere, especially if they reuse them on multiple sites:

When you post on the message board, your email address and posting ID are already displayed in your post. Therefore, if someone can "crack the code that encrypts the publishing password", they may be able to log in to another website where you use the same password associated with the publishing ID or email address on our website.

"We will not resume the site until this issue is resolved, even if it means that we have shut down the site forever," Angelini wrote in an email. "Whether we reveal 29312 passwords, 77000 passwords, or 1.2 million passwords, or the actual number between them. As you can see, we started to encourage users to change all passwords anywhere. "

Password cracking - decrypt algorithm

As for cracking code, it's almost instantaneous. Encryption used in passwords is worthless: as Dan Goodin of ARS technica described, this is a weak hash scheme 40 years ago. This algorithm is very fragile and outdated. Jens steube, a password cracking expert, said that it only takes seven minutes to identify and decrypt the given hash value.

The hash function is called decrypt. Founded in 1979, it is based on the old data encryption standard (DES). Descrypt then improved its design to make hashes less vulnerable to cracking. For example, it adds encryption salt to prevent the same plaintext input from having the same hash. It also iterates over the plaintext input several times to increase the time and computation required to crack the output hash. But by 2018, Descrypt was seriously inadequate. It provides only 12 bit salt, uses only the first eight characters of the selected password, and is limited by other more nuances.

Leaked data may be used to threaten users and their spouses

Regardless of the number of real accounts, the latest incidents of data breaches can be traced back to scammers who violated Ashley Madison's dating service in 2015. The data leak exposed 100GB of data, and the privacy details of 36 million account holders included the user's street address, some payment card numbers, phone numbers and nearly 10 million transactions. Within a few weeks, affected users received emails from unidentified people threatening to inform them of infidelity to their spouses unless they paid a large ransom, when at least two members committed suicide.

However, a quick inspection of the exposed database shows the potential damage it can cause. Goodin points out that users of the site can publicly link their account to an email address and associate different private email addresses with their account. This may result in not only disclosing the user's personal data ID, but also their identity:

By searching some of these private email addresses, you can quickly return to instagram, Amazon and other large websites' accounts, which provide users' names, geographical locations and information about hobbies, family members and other personal details. The name provided by the user is not his real name, but it does match the user name he publicly uses on six other websites.

Troy hunt, who runs have I been Pwned, exposed the leak. However, given the sensitivity of the exposure, he marks the record as sensitive, which means that he will not provide a public email address that can be used for search, as his usual practice.

The sites offer a variety of images that members say appear as their spouses, but it's not clear whether the photos are the spouse of the user or the wife of someone else, or whether all affected spouses agree to provide their intimate photos online.

"This incident is a huge privacy violation, and for people like this, if he (or, I think, if his wife finds out), it could be devastating." Troy hunt said.

It's the same attitude as Ashley Madison: it could lead to threats of blackmail and multiple revelations of related suicides.

◆ source:


◆ the copyright of this article belongs to the original author. If there is any infringement, please contact us to delete it in time