[German]There was a data leak on the erotic live streaming website cam4.com. An unprotected database contained over 10 billion records of personal user information such as full name, phone numbers, email addresses as well as payment logs, chats, logs and much more.
Security researchers of Safety Detective have found a 7 terabyte database while searching the web for unprotected data. This database contains logs from 16 March 2020 onwards, with new data coming in daily. The database is assigned to the live streaming website for adults, CAM4.com The website belongs to the Irish company Granity Entertainment.
CAM4 is a “cam model” website with live streaming, offering explicit content intended for adults only. CAM4 is mainly used by amateur webcam actors. Customers of the website can buy virtual tokens with which they pay the performers for their private shows. CAM4 has reportedly paid more than $100 million in performer commissions since its inception in 2007.
The Surecom Corp Connection
The investigation of those responsible was a kind of ‘shell game’ for the security researchers. Once they discovered the open database and were able to assign it to cam4.com, they informed the person responsible. The security team received a prompt response advising them to contact and inform another company called Smart-X.net.
Upon further investigation, our team discovered that both domains (CAM4.com and Smart-X.net) are owned by the parent company Surecom Corp. There are several companies with this name – one is located on a Dutch Caribbean island. The server was hosted in the Netherlands, the parent company is based in Ireland. So the providers should be subject to the GDPR.
The data leak
The unsecured Elastic Search server with its database was hosted by Mojohost B.v in the Netherlands and had 7 terabytes of data. According to the security researchers who were able to view the database, millions of records with very personal user data were publicly accessible without adequate security measures. Here is an excerpt:
- First and last names
- Email addresses
- Country of origin
- Sign-up dates
- Gender preference and sexual orientation
- Device information
- Miscellaneous user details such as spoken language
- Payments logs including credit card type, amount paid and applicable currency
- User conversations
- Transcripts of email correspondence
- Inter-user conversations
- Chat transcripts between users and CAM4
- Token information
- Password hashes
- IP addresses
- Fraud detection logs
- Spam detection logs
In total, the database contained about 11 million records of e-mails, with some records containing multiple e-mail addresses of users from several countries. The security researchers have made the following breakdown by country.
(Source: Safety Detective)
The USA, Brazil and Italy are in the lead, followed by France. Germany also participates with a large number of data sets. UAE, Saudi Arabia and Iran are not represented because of their censorship measures – which was expected.
The security team also discovered 26,392,701 entries with password hashes, with some of the hashes originating from CAM4.com users and some from the site’s system resources. In total, the security researchers found “a few hundred entries” with full names, credit card types, and payment amounts. The combination of all three data points is critical – since payment amounts with full names are a greater security risk. First of all, people can be blackmailed, and possibly such information can be used for fraud.
In the article, the security researchers do not disclose whether the database is now offline or can still be accessed unprotected via the Internet. In any case, this is likely to be a disaster for those concerned in terms of data protection and privacy. How the case is taken up in terms of data protection is currently unknown to me.
Cookies helps to fund this blog: Cookie settings