Hackers have stolen data from a website where users discuss highly personal and explicit sex topics, including fetishes and trying to meetup with other members. The data is now being traded among low level hackers and data collectors, judging by posts on a cybercrime forum.
Although it's not clear how many of the users on the hacked forum are genuine rather than fake or bot accounts designed to mislead members as some dating and sex sites have previously done, the news shows how the anonymity of users on particularly sensitive websites can be broken.
The site, called Flirtsexchat, includes threads such as "Public Sex," "Baby Oil for Masturbation," "Spanking Forum," and "Do Girls Like Rim Jobs." Here, users traded advice and tips on the various topics. In some threads users also advertised their social media handles.
According to a post on a cybercrime forum, the data was stolen some time in September.
Motherboard attempted to contact multiple people in the database. One person responded, "Am in the breach" but then asked for money to provide more information. (Motherboard did not pay the source.) Motherboard cross-referenced usernames that appear on the site and checked that they matched ones in the database, and also tried to create accounts with email addresses in the database. This was not possible because the addresses were already in use, corroborating that the database contains real user data.
Know of any other websites hacked with the recent vBulletin exploit? We'd love to hear from you. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
The data includes email addresses, usernames, IP addresses, and hashed passwords.
Flirtsexchat did not respond to a request for comment.
The posts on the cybercrime forum don't say how hackers broke into Flirtsexchat, but the site is based on the vBulletin forum software. In September, an anonymous person published details of an exploit that can break into servers running vBulletin versions 5.0.0 to 5.5.4. vBulletin pushed a patch to address the issue, but hackers are still able to break into sites that haven't installed the fix. The IP address of Flirtsexchat's server is included in a list on Github of sites vulnerable to this sort of attack. The tool on Github can exploit vulnerable vBulletin systems en masse.
The lesson: Even if you sign up to a sensitive website with a non-identifying username, if hackers target that site, it could expose the email address or other information you used to make an account. With that in mind, it may be worth using different email addresses for different purposes. That way, when a site is hacked and its data stolen, there can be a lower chance of the account being linked back to you.
Subscribe to our new cybersecurity podcast, CYBER.