Pinterest Stumbleupon Whatsapp

The details of nearly 800,000 Brazzers forum users have been leaked.

Back in 2009, it won the AVN Award for Best Adult Website. Three years later, private information of 790,724 users were subject to a breach. It’s a privacy nightmare, akin to the Ashley Madison data dump 3 Reasons Why The Ashley Madison Hack Is A Serious Affair 3 Reasons Why The Ashley Madison Hack Is A Serious Affair The Internet seems ecstatic about the Ashley Madison hack, with millions of adulterers' and potential adulterers' details hacked and released online, with articles outing individuals found in the data dump. Hilarious, right? Not so fast. Read More in 2015.

As if having users’ porn habits leaked wasn’t bad enough, this could have even wider implications.

What Happened?

We should’ve seen something like this coming Porn Viewing Habits Could Be the Next Big Leak: Here's What To Do Porn Viewing Habits Could Be the Next Big Leak: Here's What To Do A software engineer has recently warned that you should expect your Internet history, specifically any adult sites you've visited, to be leaked. What can you do about this? Read More . Some are billing this as affecting everyone who has ever visited an adult website, but that’s not the case at all. Nonetheless, it does hint towards a widespread vulnerability that might affect the majority of sites with a discussion forum.

But first, let’s focus on what happened to Brazzers, among the top 125,000 most popular websites in the world. If we limit the Alexa search to just India, it’s in the top 25,000. That might seem like nothing, but considering there are around 1 billion sites on the internet, it’s pretty impressive.

The breach occurred in 2012, which is admittedly a long time ago. It’s among a number of leaks from that year that we’ve bizarrely only just heard about, including LinkedIn What You Need To Know About the Massive LinkedIn Accounts Leak What You Need To Know About the Massive LinkedIn Accounts Leak A hacker is selling 117 million hacked LinkedIn credentials on the Dark web for around $2,200 in Bitcoin. Kevin Shabazi, CEO and founder of LogMeOnce, helps us to understand just what is at risk. Read More and Dropbox, the latter of which affected some 68 million users Are You One of 69 Million Hacked Dropbox Users? Are You One of 69 Million Hacked Dropbox Users? It has been confirmed that 68 million Dropbox accounts were hacked in August 2012. Was yours one of them? What should you do about it? And why did the hack take FOUR YEARS to come... Read More .

Brazzers itself wasn’t breached — instead, it was its forum, which is actually more worrying. Plus, normal Brazzers account holders might still have cause for concern. Matt Stevens, the site’s public relations manager, explains:

The incident occurred because of a vulnerability in the said third party software, the “vBulletin” software, and not Brazzers itself. That being said, users’ accounts were shared between Brazzers and the “Brazzersforum” which was created for user convenience. That resulted in a small portion of our user accounts being exposed and we took corrective measures in the days following this incident to protect our users.

That’s all well and good, but nobody was informed when it actually happened. It’s far from the admirable way Moonfruit dealt with a recent attack What Other Major Websites Can Learn from Moonfruit's DDoS Attack What Other Major Websites Can Learn from Moonfruit's DDoS Attack Moonfruit is the latest in a long list of online giants hit by hackers, but how they handled the threat was impressive. Indeed, other sites could learn a lot from how they handled the situation. Read More .

Usernames, email addresses, and passwords Everything You Need To Know About Passwords Everything You Need To Know About Passwords Passwords are important and most people don't know enough about them. How do you choose a strong password, use a unique password everywhere, and remember them all? How do you secure your accounts? How do... Read More were leaked, but the forum was a place for folk to discuss their deepest desires: whereas before, those fantasies were hidden behind a mysterious username, this links users’ particular quirks with their email addresses.

Though the dataset included 928,072 emails, many were duplicates. That still leaves 790,724 unique users affected.

How Could This Get Any Worse?

You might think there wasn’t much of an impact considering we’ve only just heard about it. After all, if victims came out of this badly, we’d have heard about it already. It is, however, very concerning, especially with the rise in sextortion Sextortion Has Evolved And It's Scarier Than Ever Sextortion Has Evolved And It's Scarier Than Ever Sextortion is an abhorrent, prevalent blackmailing technique targeting young and old, and is now even more intimidating thanks to social networks like Facebook. What can you do to protect yourself from these seedy cybercriminals? Read More .

But there are two main reasons this could be worse than it initially sounds.

The first is that these passwords were in plain text. You may be wondering how responsible websites securely store passwords How Do Websites Keep Your Passwords Secure? How Do Websites Keep Your Passwords Secure? With regular online security breaches reported, you're doubtless concerned about how websites look after your password. In fact, for peace of mind, this is something everyone needs to know… Read More . The answer is, not as plain text. There’s nothing secure about plain text. This means that, if someone were to gain access to a dataset that includes your password, it would read exactly how you input it. It wouldn’t matter if your password were the most complicated seemingly-secure passphrase Why Passphrases Are Still Better than Passwords & Fingerprints Why Passphrases Are Still Better than Passwords & Fingerprints Remember when passwords didn't have to be complicated? When PINs were easy to remember? Those days are gone, and cybercrime risks mean fingerprint scanners are next to useless. It's time to start using passcodes... Read More of all time: a hacker could just read it.

Plain text means no encryption, no salting, no hashing. It’s absolutely insane that any site still stores something important in that form. Users of porn sites especially expect a very high level of encryption, but this Brazzers breach reminds us that even some of the most popular sites use insecure approaches to your private information.

Brazzers Breach Plaintext

Further hacks of vBulletin revealed that the forum software allows users to encrypt passwords as they like, so we can infer that Brazzers itself is responsible for using plain text.

The core concern, however, is exactly that it was a vulnerability in vBulletin — which is used by nearly 40,000 live sites. Patches for vulnerabilities have been made, but they naturally rely on the sites’ administrators to upgrade. And that’s a problem.

GTA Fans Were Also Affected

The details of nearly 200,000 accounts on GTAGaming, a site dedicated to the acclaimed Grand Theft Auto series, were leaked last month, including email addresses, dates of birth, IP addresses, and passwords, the latter at least hashed twice (although only with the M5 algorithm) and salted. It’s prompted the site to ditch vBulletin altogether:

We have now closed the forums permanently, and any accounts not updated within the next couple weeks will be deleted from the database. We will be moving the account database into a more secure authentication system, removing all trace of the vBulletin forum software, and until then will be keeping a close eye to prevent any further compromises.

Considering the number of high-profile sites that use vBulletin — notably including ubuntuforums.org, the official forum for the Linux operating system What Is The Most Secure Mobile Operating System? What Is The Most Secure Mobile Operating System? Battling for the title of Most Secure Mobile OS, we have: Android, BlackBerry, Ubuntu, Windows Phone, and iOS. Which operating system is the best at holding its own against online attacks? Read More — a major problem with vBulletin could cause serious trouble. VBulletin itself was attacked last year, resulting in all users having to change their passwords, as was the developers’ linked site, VBTeam.

What Can You Do?

The first thing you should do is check whether your email address was part of the leak. If you’re on Brazzers, it’s well worth doing. If you’re not, you can still check out Have I Been Pwned?, which will tell you whether you’ve been victim of any breaches, whether on NSFW sites, social media sites like MySpace Facebook Tracks Everybody, MySpace Got Hacked... [Tech News Digest] Facebook Tracks Everybody, MySpace Got Hacked... [Tech News Digest] Facebook is tracking everybody across the Web, millions of MySpace credentials are up for sale, Amazon brings Alexa to your browser, No Man's Sky suffers a delay, and Pong Project takes shape. Read More , or your email provider like Gmail Is Your Gmail Account Among 42 Million Leaked Credentials? Is Your Gmail Account Among 42 Million Leaked Credentials? Read More .

If you have been victim, you certainly need to change your password, both on Brazzers’ Forum and on your email address. Just because your data was included in the breach, that doesn’t mean scammers have actually managed bombard you with spam, or spoof your address. On the other hand, as this leak was in 2012, there’s a chance you’ll have suffered any consequences already.

Nonetheless, if you’ve a Gmail account, you could check your Activity Monitor Check if Your Gmail Account is Hacked with Activity Monitor Check if Your Gmail Account is Hacked with Activity Monitor Read More , just to make sure nothing dodgy has happened. In fact, we’d always recommend keeping track of the latest security breaches Keep Up With The Latest Data Leaks - Follow These 5 Services & Feeds Keep Up With The Latest Data Leaks - Follow These 5 Services & Feeds Read More — again, just in case.

If you’re signing up to a site that might require information you’d prefer to keep private (like any embarrassing secrets), use a unique email and password that’ll be tougher for potential cybercriminals to link your real name to online dealings.

Have I Been Pwned?

And if you’re an administrator on a site that relies on vBulletin, make sure you update it. The most recent patch was only last month, which came about after the forums of the multiplayer Dota 2 were breached, affecting 1.9 million accounts.

What Lessons Can Be Learned?

It’s not the fault of those using the Brazzers forum, but users of that discussion community should still be be extra vigilant if inputting sensitive data. Anyone using further adult sites should take note too.

Forum Under Construction

It’s about time companies realized that passwords aren’t safe using M5 encryption, let alone plain text! If you spot a site using the latter, you should inform Plain Text Offenders.

What further tips do you have for anyone affected, or indeed anyone worried that a similar site might be the target of hackers?

Leave a Reply

Your email address will not be published. Required fields are marked *