Adult website Lucious has suffered a data breach that had exposed the personal information of over 1.1 million of the site’s users.
According to a report from ZDNet, the breach was discovered by vpnMentor’s research team, which was led by cybersecurity experts Noam Rotem and Ran Locar.
According to the team, the data breach stemmed from an authentication failure on the website, enabling hackers to access all user accounts operating under the Luscious database. Personal information of users, such as their usernames, email address, locations, genders, and activity logs have been exposed due to the security problem, the group added.
“This adds a great deal of additional vulnerability not just to the users, but also their employers,” the group said on Monday. “With access to employee email addresses, criminal hackers can target government agencies and departments in a number of ways.”
Affected users were said to be citizens from France, Germany, Russia, Brazil, Italy, Canada, and Poland. Aside from the already mentioned personal information, the team also revealed that they were able to view other user’s activities, such as image album uploads, likes, comments, and blog posts.
“Some of these blog posts were extremely personal — including depressive or otherwise vulnerable content — and kept anonymous,” vpnMentor continued. “Due to this data breach, however, the blog posts are no longer anonymous, with many of the authors’ identities revealed.”
Luscious is an adult content-sharing website for pornographic materials, including anime and manga pornography, called hentai.
Around 20% of the affected accounts were said to have used fake email addresses. However, vpnMentor asserted there are around 800,000 that have used legitimate and active emails.
“Once a Luscious user’s identity is compromised, they can be targeted for more than just bullying,” the researchers warned. “Hackers could threaten to expose users unless they pay a ransom. Given the sensitive nature of this data breach, victims are incredibly vulnerable and likely to pay.”
The data breach was discovered on August 15 and was publicly disclosed the following day by vpnMentor. Three days later, Lucious operators acted on the said breach and were able to fix the security problem. vpnMentor, however, said there is no definite date when the vulnerability began. This means hackers might have already stolen the necessary info in each account before the breach has been fixed.
“The impact of this data breach on users could be devastating, personally and financially,” vpnMentor’s report said. “Activity on adult sites like Luscious is the most private in nature, and nobody ever expects it to be revealed.”