Porn site Luscious data breach affected 1.2 million user profiles

Authentication failure of a niche porn site exposes users' emails and related account activity

Over 1 million registered users exposed after a breach in a popular porn site.

An adult site that promises its users anonymity got affected by a data breach.^[1] A popular hentai porn site Luscious that has more than one million registered users and racks up to 20 million monthly visits exposed an unprotected database consisting of user-profiles, allowing anyone to view it. Such data potentially can help identify members based on their email addresses and other information.

vpnMentor research team discovered the potential compromise of the Luscious website on August 15th and reported the findings to the site owners a day later.^[2] While the action to prevent further exposure was taken three days later, it is yet unknown whether any other hackers managed to get to the sensitive data before it was secured on August 19th.

As soon as users create the profile on the site, they can comment on, upload, share, and favorite various adult content posted on Luscious. Evidently, users who visit these sites expect their identities to be anonymous, as they are only exposed via their username, which they establish during the profile creation process. Unfortunately, the data breach of such kind renders many site visitors vulnerable to cyberbullying, phishing, money extortion, and other threats.

Noam Roten and Ran Locar, the researchers who disclosed the unprotected database on the Luscious site, commended with the following statement:

The data breach our team discovered compromises this anonymity by potentially allowing hackers to access the personal details of users, including their personal email address. The highly sensitive and private nature of Luscious’ content makes users incredibly vulnerable to a range of attacks and exploitation by malicious hackers.

Exposed 1.2 million users located around the world. Some accounts were registered using government emails

Although more than 20% of users use fake email addresses when registering such accounts, other members can be identified easily from the email address alone, as the exposed database also included their full names. This type of compromise can deepen the impact of the breach can lead to various issues regarding people privacy and even result in identity theft.^[3]

Personal details and information about members' behavior that was exposed during includes:

• usernames;
• email addresses;
• activity logs;
• country;
• gender;
• upleads, the number of albums
• comments;
• blog posts;
• favorites;
• followers and following accounts;
• the user ID that allows seeing how active the user has been.

Most of these details can not be seen by other users and are hidden in the website database, as researchers note. Unfortunately, the anonymous content due to the data breach becomes no longer private, and many identities might have been revealed to malicious actors. Blog posts and images uploaded to the site got exposed with additional details on who has created them.^[4]

According to the information that vpnMentor research team managed to access, the registered accounts came from all over the world – Europe, Asia, Australia, and the Americas. While it was difficult to determine the precise number of users' geolocation based on their email accounts alone, researchers estimated that most users came from Germany (50,000), France (~40,000), and Russia (~35,000).

While checking the data, security experts also found a few hundred government-issued email addresses (.gov and .edu) that were used to register to Luscious. The data exposure of government official could be devastating not only to the individuals but the institutions as well, possibly allowing access to their other accounts.

Even though the unprotected Luscious database has been closed, some users' privacy might have already been compromised

Techcrunch, which was given restricted access to the vpnMentor team's investigation report, tried to reach Luscious.net owner on numerous occasions using various social media platforms in order to prevent the exposed data compromise, but the response never came:^[5]

We emailed the owner — whose email address was found in the very first user record — to disclose the security lapse, but we did not hear back after several follow-ups. We sent the owner a note through the site’s contact form, through Facebook Messenger and over a LinkedIn contact request, and we sent several text messages based off the site’s historical registration data.

Consequently, the web host was contacted and the access to the database was closed, allowing the publication of the ordeal to the public. Only after that, the site owner reacted and said that “We will be reaching out to any compromised users to warn them about the potential exposure of their private email addresses.”

People affected by the data breach should be warned about potential exposure of their email addresses and personal information. If you are one of those users, you should immediately change the username and the associated email. Additionally, while passwords were not stored on the leaky database, changing them is highly recommended as a precautionary measure.