Porn site coders expose user info of millions

I got contacted by Alltid Nyheter, from Swedish public broadcasting radio, regarding a thread on Flashback.org, Sweden’s largest web forum. User info of well over a million registered users was openly accessible on the chat site of YouPorn until the server was taken down yesterday.

The exposed information contains e-mail addresses and passwords. This information can be used to identify porn consumers, but for some users more than a reputation is at stake.

It is common knowledge that even today a surprisingly large portion of Internet users use the same passwords for many (or all) of the services they use on the Internet, whether it is e-mail accounts, Facebook, PayPal, or other services.

For a security professional it is baffling how coders working on a website with such sensitive content can make mistakes of this magnitude. Allegedly hundreds of megabytes of data has been secured by people with unknown goals. Cyber criminals can easily go through these e-mail addresses and match them with passwords and this way gain access to e-mail accounts. Once they are in, they can secure even more sensitive information to use in phishing attacks, theft, or fraud.

It is difficult not to compare this case with the hacking of porn site Brazzers earlier this year, even though in this case the site wasn’t hacked.

Looking at the data, it seems like a careless programmer accidentally(?!) left debug logging on to a publicly accessible URL as early as November 2007, and it has been storing all registrations ever since.

Yesterday, it was found, probably by ”accident” by someone sweeping websites for publicly accessible, but non-linked (”hidden”) folders, looking for.. either porn or sensitive material like this, and struck gold.

Hackers have already started going through the lists, checking which users have the same password for e-mail or Facebook, and have posted some intimate pictures found in some users sent/received e-mail.

Anders Nilsson
Chief technology officer at
Eurosecure ESET Sweden


One thought on “Porn site coders expose user info of millions

  1. The fact that many people reusing the same password across the board is very key here. While we may not often see cases where such a huge populous has their password retrieved unencrypted, this certainly shows it does happen. Hopefully those concerned have changed their passwords since.

    Adult sites being particularly embarrassing (and in this case, exposing), I find it important to use disposable email addresses to keep this sort of thing from really affecting one’s digital (and even personal) life. I work on a browser add-on called Cocoon (getcocoon.com) that makes it incredibly easy to create, manage, and delete email addresses for all websites that I don’t want on my immediate keychain. Incidentally, I also use that same program to avoid tracking, cookies and malware. I was all over VPNs and anti-tracking software, but found it difficult to manage everything at once effectively.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s