Thousands of user account details—many related to a bestiality website—are circulating on public image boards, according to data obtained by Motherboard. Details include email addresses, alleged IP addresses, and other apparent personal information linked to an often illegal sexual practice.
The news shows how websites that deal with the most controversial subjects can be hacked and expose their users, and perhaps their real world identities, in the process.
“Regardless of what you're into in your personal time, this incident serves as a reminder that anything you do online may one day be leaked publicly,” security researcher Troy Hunt, who runs the breach notification service Have I Been Pwned? and who originally flagged the breach to Motherboard, said in a Twitter message.
According to Hunt, the breach appears to predominantly relate to a specific bestiality website; Motherboard is not naming the site because it seems inappropriate, in a similar way to naming a child abuse site, to more easily direct potential users to offending material. Motherboard downloaded the dataset from a public forum discussing the breach, and verified many of the email addresses contained in the dump are connected to active accounts on the site. For dozens of tested addresses, when trying to create an account with one of the emails, the site returns an error message: “Email is already used by another user!”
Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on firstname.lastname@example.org, or email email@example.com.
Administrators for the site did not respond to a request for comment, and no alleged users of the site replied to Motherboard’s emailed questions over the past week.
As well as email addresses—some of which seem to contain full names of individuals—the data includes alleged password hashes, user birthdates, IP addresses, and what appears to be a few hundred private messages between users.
In all, Motherboard extracted around 3,000 unique email addresses from the data dump. In Motherboard’s tests, not all of those were linked to active users on the site—some could be used to create accounts—and it seemed to be possible to create an account without clicking a verification link, meaning users could sign up with another person’s address. Regardless, the digital footprints on the site likely expose some genuine users.
“There are thousands of real email addresses in this incident and deniability will be hard when they sit alongside IP addresses. It could be both enormously embarrassing and enormously damaging for some people,” Hunt said.
At the time of writing, 45 states ban sex with animals, but possession of the pornography itself is often legal.