An unsecured Elasticsearch database belonging to adult live-streaming website CAM4.com leaked up to 7 terabytes of production logs that included over 10.88 billion data records and millions of PII entries.
The unsecured CAM4.com database was discovered by security firm SafetyDetectives who found that the database contained a wealth of personal information such as customers’ first and last names, email addresses, countries of origin, gender preference, sexual orientation, device information, IP addresses, usernames, chat transcripts, password hashes, payment logs including credit card type, the amount paid and applicable currency, and user conversations.
The database belonged to adult live-streaming website CAM4.com owned by Irish company Granity Entertainment. CAM4.com is a popular live streaming “cam model” website that provides explicit content intended only for adults and is used by amateur webcam performers. People visiting the website can purchase virtual tokens to tip performers or watch private shows.
The security research team at SafetyDetective, led by Anurag Sen, found that the database exceeded 7 terabytes in size and included a significant amount of both user and company information with a massive amount of email data records for users in the United States. Furthermore, 11 million out of the 11 billion records found in the exposed logs contained at least one email address from a variety of email providers like gmail.com, icloud.com, and hotmail.com.
While 6.5 million leaked records pertained to U.S. customers, 5.3 million records pertained to Brazilian users, 4.8 million to Italian, 4.1 million to French, 3 million to German, 2.4 million to Spanish, and 1.6 million records pertained to UK customers.
Personal data exposure could result in identity theft, phishing scams, and blackmail
“From a large number of discovered records and the type of information available, several negative outcomes are at risk of occurring including identity theft, phishing scams, website attacks, and blackmail. Full names, emails, and password hashes could also be used to identify users’ real identities and commit various types of deception and fraud. User emails could be targeted with leaked data then used maliciously to trigger clicks with phishing and malware scams deployed against unsuspecting targets,” said SafetyDetectives.
“The fact that a large amount of email content came from popular domains such as Gmail, Hotmail and iCloud — domains that offer supplementary services such as cloud-storage and business tools — means that compromised CAM4 users could potentially see huge volumes of personal data including photographs, videos and related business information leaked to hackers — assuming their accounts were eventually hacked via phishing as one example.
“This information could then be weaponized to compromise other individuals and groups such as family members, colleagues, employees, and clients of other businesses. Possibly the greatest risk in both financial and reputational respects is the risk of blackmail scams that could be deployed against users who believe they are anonymous when sharing compromising data and content,” the firm added.