Hundreds of thousands of user account details for porn site xHamster are being traded on the digital underground.
The database of nearly 380,000 users, provided to Motherboard by for-profit breach notification site LeakBase, includes usernames, email addresses, and what appears to be poorly-hashed passwords.
Videos by VICE
Although xHamster is a free porn site, users can sign up to create personal favorite collections, post comments, or upload their own videos. According to the xHamster site, over 12 million people have signed up for an account.
Motherboard attempted to create new xHamster accounts with a random selection of 50 email addresses from the database. When the email corresponded to an xHamster account, the site returned the message “This email already exist! [sic]” All 50 addresses were already in use, and all but one of the related usernames were already taken too.
The database includes some 40 email addresses belonging to the US Army, and 30 related to various US, UK, and other countries’ government bodies.
According to LeakBase, the data was being traded at around the same time a hacker found a vulnerability in xHamster’s website earlier this year, but it is not clear how exactly this database was obtained.
Motherboard attempted to contact a number of individuals implicated by the breach, but did not receive a response.
To check that the data was not already publicly available, Motherboard searched for the same email addresses on the open internet. The vast majority returned no relevant Google search results.
An xHamster spokesperson told Motherboard in an email, “The passwords of all xHamster users are properly encrypted, so it is almost impossible to hack them. Thus, all the passwords are safe and the users data secured.”
However, the hashes in the database have been created with the long-aging algorithm MD5. Hackers can trivially crack these hashes, and plenty of websites exist where anyone can quickly look up the plaintext of an already-cracked hash.
The lesson: xHamster users should change their password on the porn site as a precaution, but also change it on any other sites that used the same password. With this database, hackers can attempt to access other accounts belonging to the victim with the leaked credentials.
Another day, another hack.
Update: After the publication of this article, Alex Hawkins, xHamster spokesperson, told Motherboard in an email, “The only way to respond to this news is to coin a new term: ‘Fhack.’ A fhack is best defined as a fake hack. There was a failed attempt to hack our database which occurred 4 years ago. The integrity of our user data is secure. Passwords are encrypted and impossible to hack. In short, this was a successful fhack; and a failed hack.”
When pressed on how did data traders then obtain a list of xHamster user email addresses, the company said, “We cannot validate that the emails are real and we don’t believe that this is a genuine database.” This is despite Motherboard’s independent verification of the email addresses and usernames.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.