Quantcast
Nearly 800,000 Brazzers Porn Site Accounts Exposed in Forum Hack

Another day, another hack originating from poorly maintained vBulletin software.

Nearly 800,000 accounts for popular porn site Brazzers have been exposed in a data breach. Although the data originated from the company's separate forum, Brazzers users who never signed up to the forum may also find their details included in the dump.

Motherboard was provided the dataset by breach monitoring site Vigilante.pw for verification purposes. The data contains 790,724 unique email addresses, and also includes usernames and plaintext passwords. (The set has 928,072 entries in all, but many are duplicates.)

Troy Hunt, a security researcher and creator of the website Have I Been Pwned? helped verify the dataset by contacting subscribers to his site, who confirmed a number of their details from the data.

"I used throwaway login/pass for this very reason"

"It's unfortunate that my information was included in the breach, but that's the risk you run making an account anywhere on the web," a Brazzers user, who asked to remain anonymous, told Motherboard in an email.

Another user whose email was included in the data, called John, wrote, "I used throwaway login/pass for this very reason."

Matt Stevens, public relations manager from Brazzers, told Motherboard in an email, "This matches an incident which occurred in 2012 with our 'Brazzersforum,' which was managed by a third party. The incident occurred because of a vulnerability in the said third party software, the 'vBulletin' software, and not Brazzers itself."

"That being said, users' accounts were shared between Brazzers and the 'Brazzersforum' which was created for user convenience. That resulted in a small portion of our user accounts being exposed and we took corrective measures in the days following this incident to protect our users," Stevens added.

Indeed, both Brazzers users who spoke to Motherboard said that they had not used Brazzersforum.

On the forum, which uses a separate URL from the main site, users could discuss different Brazzers porn scenes and stars, or request a new scenario they would like to see in future Brazzers productions.

At the time of writing, Brazzersforum is displaying an "under maintenance" message, and is unavailable to users.

"Note that the data provided contains many duplicates and non-functional accounts. We banned all non-active accounts in that list in case those usernames and passwords are re-used in the future," Stevens from Brazzers said.

"Brazzers takes the privacy and safety of its users very seriously," he added.

"We've seen a real spate of vBulletin breaches where the software had been left pretty much unattended and unloved"

Hunt said that, because some of the accounts were related to a forum, that arguably made the data even more sensitive than just a normal porn site account.

"When it's solely membership of an adult website, you know the person has an interest in adult material, which, whilst potentially embarrassing, tells you very little about them. Once they're commenting within a forum though, now you have very personal information about their intimate thoughts. We also know that forum breaches frequently include not just user credentials, but private messages as well, and those can be particularly revealing," he wrote in an email. Hunt added the data to Have I Been Pwned? on Monday.

"We've seen a real spate of vBulletin breaches where the software had been left pretty much unattended and unloved," he added. "Vulnerabilities have been found and patches have been issued yet the admins have maintained the product and very well-known, easily exploited vulnerabilities have led to breaches like this one."

Read More: The Rise of 'Have I Been Pwned?', an Invaluable Resource in the Hacking Age

A recent breach of a Grand Theft Auto fan site originated from vulnerabilities with vBulletin, and the software has been involved in many other breaches too. Often, the problem is that sites using vBulletin have been left in a state of disrepair, allowing hackers to leverage publicly known vulnerabilities and grab user details.

The anonymous Brazzers user told Motherboard, "The only way to force change is to bring it to public opinion to encourage businesses to respect our data and put the proper security measures in place to secure it."

The lesson: Like John, when signing up to websites, consider using a unique email address and password. That way, if your data is included in the breach of a sensitive website, it will likely be harder for others to personally identify you.

Another day, another hack.