MyFreeCams.com sends users their full forgotten passwords in plain text, and no longer lets models use special characters in passwords.
Earlier this week, Motherboard revealed that popular cam girl site MyFreeCams.com is making its models' accounts easy to hack by having truly terrible password security. The site, which says it has more than 100,000 models and has over five million members, is deliberately weakening both its models' and users' passwords, as well as sending users parts of their passwords by email.
Now, it has emerged that the site has even more security problems, such as sending users their full forgotten passwords in plain text, and it is no longer possible for models to use special characters in their passwords at all.
One cam girl from MyFreeCams.com—commonly abbreviated to MFC—contacted Motherboard after last week's article. "I saw your story and logged in to change my password, and discovered that MFC is not allowing special characters in model passwords anymore," the model, who asked to remain anonymous to protect her account, said. She also provided a relevant screenshot, showing the change password screen of her model account. It clearly reads "Your password must consist of letters and numbers only."
"I had no idea it was like that. Makes me want to reconsider where I cam."
It appears that MyFreeCams.com has introduced this measure after the initial coverage of the site's poor security practices. Earlier this week, another cam girl verified for Motherboard that if a password contained upper and lower case, as well as punctuation, it was bypassed by simply typing in the password in lowercase, while omitting any special characters.
For example, if a model's password was "!!!PASSword???", simply typing in "password" would access the account.
Now, for whatever reason, it is no longer possible to use special characters at all.
MyFreeCams.com has not responded to multiple requests for comment.
On top of that, when users report that they have forgotten their password, MyFreeCams.com sends users their full password in plaintext via email.
Tobias Fee, a user of the site, told Motherboard in a Twitter message "If you hit 'forgot password' it will send you your password in plain." Fee then provided a screenshot showing this.
Motherboard previously reported that when users purchase tokens to use on the site, MyFreeCams.com sends out a receipt. Included in that receipt is part of a user's password.
Per Thorsheim, founder of PasswordsCon, told Motherboard at the time that "in order to show/send you parts of your password, it is either stored in an encrypted form and they have the key to decrypt, or it is stored in plain text." The evidence showing that forgotten passwords are sent in plaintext further supports this.
Cam girls who Motherboard spoke to are understandably worried by the revelations.
"I had no idea it was like that. Makes me want to reconsider where I cam," one previously told Motherboard.
The poor password security practices are especially concerning because cam girls may be at a heightened risk of stalking or harassment. Many of the girls on the site appear to use pseudonyms, perhaps to protect their identity. Having access to their account might reveal their real name or location.
"I'm deleting my MFC account due to their security issues," another model told Motherboard. "I knew MFC was sketchy but I had no idea the accounts were so easy to hack."