Porn site leaks over a million users’ private info

The great thing about the internet is that no one has to know you have a serious thing for hentai pornography. Unless, that is, the porn site you have an account on leaks your personal information. 

Over a million Luscious.net account holders faced that unexpected reality this week after security researchers announced a data breach affecting the site. According to the team at vpnMentor, an exposed database allowed would-be blackmailers or extortionists the ability to surreptitiously gather Luscious account holders’ personal details. 

Specifically, the data available included usernames, email addresses, activity logs, and location data for all 1.195 million users.

“Our team was able to access this database because it was completely unsecured and unencrypted,” writes the vpnMentor team. 

Importantly, vpnMentor is not saying the data was stolen by a malicious actor — just that it was wide open for the taking. That doesn’t mean it wasn’t stolen, however. 

If Luscious users happened to use email addresses associated with their real names to register accounts, that information — tied to location data — could be more than enough to associate specific Luscious accounts with their owners. 

But wait, it gets worse. The team at vpnMentor notes that they were able to access users’ video uploads to the site — possibly enabling them to tie users’ real names to uploaded pornographic images. 

“The impact of this data breach on users could be devastating, personally and financially,” reads the blog post announcing the breach. “Activity on adult sites like Luscious is the most private in nature, and nobody ever expects it to be revealed.”  

The breach was discovered on Aug. 15, and, after being notified by vpnMentor, Luscious fixed the issue on Aug. 19. That doesn’t mean, however, that no harm was done. 

“While the data breach is now closed,” write the researchers, “it’s still possible that other hackers could have accessed it earlier and extracted the same data we viewed.” 

Of course, many Luscious accounts were likely associated with throwaway email accounts. Many, but not all. 

“A greater issue of concern is the fact that many users joined Luscious on official government emails,” notes vpnMentor. “We found examples of this from users in Brazil, Australia, Italy, Malaysia, and Australia.”

As exemplified by the 2015 Ashley Madison hack, this type of information is practically designed for blackmail. In that case, a dating site purportedly offering to put married men in touch with women was breached, and its database consisting of usernames and emails fell into the hands of hackers. People soon began receiving emails demanding payment at the threat of exposure to their families. 

At least two suicides were reportedly linked to the Ashley Madison hack. 

If you just so happen to have a Luscious account, you should definitely change your password. And, going forward, when registering accounts on pornography sites please don’t use an email address that happens to include your real name.