Brazzers gets the shaft in data breach

Years ago, I remember a time when water was free. You would just drink it from the tap and you had to pay for your ‘dirty magazines’. Times have changed to say the least. I was in the market the other day and they were selling a bottled water that was advertised as being a good source of “oxygen”. I didn’t have the heart to counter and argue about the possible dangers of dihydrogen monoxide poisoning. But, I digress. Nowadays you can get your porn fix for free online. Well, there can be a cost. 

This week porn site aficionados who frequent the adult site, Brazzers, found their personal bits swinging in the breeze after a data breach came to light. Almost 800,000 user accounts were compromised in a data breach that apparently took place in 2012.

From CNBC:

The names of nearly 800,000 people who allegedly use the Brazzers porn forum were leaked online, exposing not only the apparent identities of some users but also their public conversations.

This isn’t as awful as it might appear on the surface of it from the perspective of the type of data that was exposed. In this case this was a breach of the forum software that basically was people sharing their likes and dislikes. No financial information was purloined in this incident.

So of course the inevitable question arises, was real data from Brazzers? 

Yup.

Motherboard was provided the dataset by breach monitoring site Vigilante.pw for verification purposes. The data contains 790,724 unique email addresses, and also includes usernames and plaintext passwords. (The set has 928,072 entries in all, but many are duplicates.)

Troy Hunt, a security researcher and creator of the website Have I Been Pwned? helped verify the dataset by contacting subscribers to his site, who confirmed a number of their details from the data.

Now, while this isn’t a major problem on the surface of it, this could come back to haunt some folks affected if the accounts ever make it into circulation. This could potentially negatively impact someone much in the same vein as the Ashley Madison breach.

Imagine, if you will, someone who is a high ranking officer in the military used their .mil email address to sign up for the forum. That’s one of literally hundreds of worst case scenarios that could possibly manifest.

So, how did this happen? Apparently this was due to a vulnerability in the vBulletin software that lead to remote access. The forum was hosted by a third party for Brazzers back in 2012 when the breach occurred. When you look at the number of security issues  that affected this software it really does not come as a surprise.

One case in point that highlights the possible culprit is CVE-2012-4328 which was assigned a score of 10. An unauthenticated remote user could have “total information disclosure, resulting in all system files being revealed.” Ouch.

I’d hazard a guess that could be a prime suspect on the question of “how” the attackers gained access. This is yet another lesson in the school of covering your arse. If you feel the need to participate in forums such as this at least take the time to use a throw away email address and a pseudonym. The possibility of this type of information coming back to expose your unmentionables in full public view are greater than zero.