Adult live-streaming platform CAM4 unknowingly left their production server exposed to the public, leaving billions of user records and private information accessible to the public. Among the information were private messages, email addresses, and sexual preferences, notes Naked Security by Sophos.
Owned by Granity Entertainment, an Irish firm, CAM4 has been operating as an adult live-streaming website that serves as a platform for customers and audiences to watch sexual and explicit performances.
At the same time, the site functions as an adult chatting platform where customers can purchase tokens to tip streamers for their performances. Customers may also pay extra to watch private shows, states Sophos.
In a report filed by Safety Detectives, a security research team led by Anurag Sen found a massive data leak concerning an Elastic Search database left unsecured. The coverage of the database spanned over 7 terabytes worth of data, with production logs dating from March 16, 2020.
Included in the 7 terabytes database were more than 10.88 billion user records, most of which included their personally identifiable information (PII). Some of the PII made vulnerable to the public were the customer’s first and last names, email addresses, and country of origin.
Passwords were also compromised, albeit protected with hashes.
Moreover, users’ sign-up dates, gender preference and sexual orientation, device information, as well as spoken languages, and their usernames have been made available on the Internet without security measures in place.
The payment data, including credit card type and details, paid amounts, and currencies used to purchase tokens were also available for use. User conversations, chats between users and CAM4, token information, and IP addresses were also included in the massive data leak.
Among the countries heavily affected by the incident are users from the United States of America, Italy, and Brazil reveals Safety Detectives.
Despite the massive breach, CAM4 maintains that the PII of their users has not been used in any malicious way.
In a statement, it said “the team concluded without any doubt that absolutely no personally identifiable information… was improperly accessed by anyone outside the SafetyDetectives firm and CAM4’s company investigators.”
Upon discovering the unsecured database, Safety Detectives immediately reached out and contacted the Ireland-based cam site. The security research team reports that the vulnerability in the system has been addressed shortly after informing CAM4.
Wired states that CAM4 has decided to take appropriate actions to address the situation, particularly relocating its server to its “internal LAN to make it a lot harder for people to get access to this type of server” and to ensure that the PII remains separate from these accounts.