Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Brazzers Suffers Unwanted Exposure
How Many Porn Site Users Employed Throwaway Logins/Passwords?Yet another historical mega-breach has come to light, this time involving Montreal-based online porn site Brazzers, which reportedly suffered a 2012 data breach that allowed an attacker to steal nearly 800,000 user credentials.
See Also: OnDemand | When AI Becomes Doctor, Nurse, and Security Guard
The breach is an operational security reminder to users to employ not just unique passwords for every site they use - so that attackers can't steal them from one site and use them at another - but to also consider employing unique usernames and email addresses, not least to safeguard the privacy of their online activities.
Brazzers, which describes itself as "the world's best pornsite," films and distributes its own adult videos.
The breached data, which came to light this week, includes about 790,000 unique email addresses as well as usernames and plaintext passwords, reports technology site Motherboard. The site said it obtained a copy of the stolen data from breach-information site Vigilante.pw and verified it with the help of Australian security researcher Troy Hunt, who runs the free Have I Been Pwned? breach-notification site.
According to the Vigilante.pw site, the data was originally dumped online in April 2013.
Brazzers has confirmed the breach and said it relates to how the company transferred passwords between its website and forum software.
"This matches an incident which occurred in 2012 with our 'Brazzersforum,' which was managed by a third party. The incident occurred because of a vulnerability in the said third-party software, the 'vBulletin' software, and not Brazzers itself," Matt Stevens, a spokesman for Brazzers, told Motherboard.
"That being said, users' accounts were shared between Brazzers and the 'Brazzersforum' which was created for user convenience," he said. "That resulted in a small portion of our user accounts being exposed, and we took corrective measures in the days following this incident to protect our users."
Exposed: Users' Fantasies
On Brazzersforum, users could discuss their favorite scenes from Brazzers films, as well as request new ones. Hunt says that's the real kicker with this breach, because it potentially exposed people's sexual fantasies.
Problem with a hack like that is it's a *forum*. Worse than just adult website creds, this is what people were talking / fantasising about.
— Troy Hunt (@troyhunt) September 5, 2016
That the breach involved the popular vBulletin software is also notable. In recent years, numerous sites have been breached after failing to keep their vBulletin updated. Hunt says that many sites choose to administer their own vBulletin forums, yet fail to install newly available patches in a timely manner, thus creating a "perfect storm of software with holes in it that people don't maintain" (see Epic Games Forums Breached Again).
Throwaway Credentials
For users, the Brazzers breach is a reminder to compartmentalize the personally identifying information that you share online, if you'd prefer that your related activities would never come to light publicly.
Vis-à-vis the Brazzers breach, there's no word on how many users reused their email addresses - not to mention passwords - on other sites. One user, "John," whose email was contained in the dumped data, and who was contacted by Motherboard, told the publication that security and the potential for his data to get stolen had been top of mind, so "I used throwaway login/pass for this very reason."
But if previous breaches are any indication, John was an outlier, and many users will have employed recognizable email addresses to register with the site. For example, the administrator of Vigilante.pw, who goes by "Keen," tells me that 1,446 ".mil" and 41 ".gov" email addresses are contained in the Brazzers data dump, as well as one ".uk.gov" email address, which are respectively official U.S. military, U.S. government and U.K. government email addresses. Brazzers didn't immediately respond to a request for comment about whether it was verifying users' email addresses when the site was breached.
Ashley Madison Lesson Redux
Last year's breach of infidelity-focused online dating site Ashley Madison also revealed that many users failed to think twice when it came to keeping their participation on the site a secret, for example, by employing single-use credit cards or at least some password security mojo. More than 100,000 of the site's users, for example, picked this easily guessable six-digit password: "123456" (see We're So Stupid About Passwords: Ashley Madison Edition).
At the same time, however, site participants were sharing more than just their contact information with the site. Impact Team, which was the group that claimed credit for breaching Ashley Madison and later dumping related data, reported that breached customer records included "profiles with all the customers' secret sexual fantasies and matching credit card transactions [and] real names and addresses," among other details.