The database, which contains very sensitive information about users and models on the popular Stripchat site, has been left completely unprotected, which has put both models and users in an awkward situation that can escalate to extortion, violence and more.
Stripchat is a popular adult site founded in 2016, based in Cyprus, that sells access to nude models live.
Volodymyr “Bob” Dyachenko, head of research at Comparitech, he announced that on November 5, he discovered an unprotected database on the Elasticsearch cluster. The database contained data on 65 million users registered on the site (username, email address, IP address, ISP details, tips, date of account creation, date of last login, account status), data on 421,000 models on the site name, gender, studio ID, live status, tips / pricing menus, and something called their “comic score”), 134 million transaction data (token information and tips users pay for models, including private tips), and data o 719,000 messages (user and model IDs involved in conversations).
It is unclear whether anyone else, who could have bad intentions, managed to access this data before Diachenko pointed out the problem and the data was finally protected on November 7.
Diachenko says the incident could pose a significant privacy risk to both Stripchat viewers and models.
“Exposure [podataka] could be a digital and physical threat to both viewers and Stripchat models. Of particular concern are IP addresses, which can be used to detect someone’s approximate location. “They could enable someone to find and spy on someone in the database, harass or even attack,” said Dijachenko.
“If the data is stolen, they could face harassment, humiliation, stalking, extortion, phishing and other threats, both online and offline,” he said.
Both users and models should watch out for targeted phishing emails that fraudsters can send by posing as Stripchat, Dijachenko warned. “Never click on links or attachments in unsolicited emails,” says Dijachenko.
The risk to privacy for both users and models becomes more significant if the information exposed is compared with data leaked in some other incidents, so as to create a complete profile of the person.
“Stripchat data, in fact, does not reveal much personal information, and I think that many users who visit such sites do not want to state their real identities, emails, etc.,” Diachenko said. “They also mostly use VPN services to hide their IP addresses,” he said, adding that however, much of this information can be compared to other leaked data, as well as that some additional data may appear.
He informed Stripchat about his discovery on November 5, via email and then via Twitter. Although the company did not respond directly to his discovery, he said that on November 7, the data was protected without an explanation of what happened.
Diachenko says sites like Stripchat should have stronger security protocols and at least use protocols to respond to incidents when they receive such warnings from the security community.
Despite the large data leak of more than 65 million users, StripChat has yet to publicly reveal or acknowledge the incident, which could result in a Cypriot company being fined heavily under the GDRP, the European General Data Protection Regulation.
Source: Informacija.rs by www.informacija.rs.
*The article has been translated based on the content of Informacija.rs by www.informacija.rs. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!
*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.
*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!