Old breach of Brazzers porn forum exposes users

A data set of private Brazzers accounts has surfaced approximately four years after the pornography website's forum was breached.
A data set of private Brazzers accounts has surfaced approximately four years after the pornography website's forum was breached.

An old data breach has come back to haunt the pornography site Brazzers and its users, after nearly 800,000 unique accounts registered with the site or its online forum were found published online.

The news was first reported by Motherboard, which was alerted to the leaked data set by breach monitoring site Vigilate.pw. Security researcher Troy Hunt then verified the data by contacting subscribers to his website Have I Been Pwned? Including duplicates, the data dump included 928,072 accounts consisting of 790,724 unique email addresses, as well as usernames and plaintext passwords. The data was posted in April 2013 and remained undetected for over three years.

Brazzers confirmed to Motherboard in an email that the leaked information matched data related to a 2012 security breach of its online discussion forum Brazzerforum, which was operated by a third party. Nevertheless, some Brazzers users who never visited the forum site were also affected because the two web operations shared account information for user convenience. “That resulted in a small portion of our user accounts being exposed and we took corrective measures in the days following this incident to protect our users,” said Matt Stevens, Brazzers public relations manager, in the email.

“This is actually a pretty common practice,” said Tony Perez, co-founder and CEO of Sucuri, regarding the sharing of user account information across multiple entities. “It's done to streamline the experience for the user, and we see organizations like Microsoft, Google, and many others applying similar strategies,” he added in an email interview with SCMagazine.com.

Stevens at Brazzers also told Motherboard that the porn site banned all non-active accounts listed in the data set so that no one else could use the affected usernames and passwords.The report did not specify where the actual data set was leaked, although Have I Been Pwned? founder Hunt, in an interview with SCMagazine.com, said that the data was being traded – "almost like kids trading baseball cards."

According to Brazzers, the Brazzerforum site was hacked via a flaw in its vBulletin forum software. Unpatched vulnerabilities in vBulletin have been the root cause of multiple recent breach incidents, including those impacting the Dota2, Epic Games and GTAGaming video game forums.

"It's becoming a running joke," said Hunt. Forum operators "go and get vBulletin for very cheap, they stand it up [on a] 'cheapie' self-managed infrastructure and then they it never update it."

vBulletin in and of itself "isn't necessarily an easy target, or more or less secure,” said Perez, comparing it to WordPress in the content management space. “The biggest issue, however, is that its upgrade path can be complex, being that it requires a license. Most organizations treat it the same [as] most technologies – they install and forget, and choose to cut costs, thinking that they can stay ahead of the threats themselves, but then fail to implement the controls required.”

“If you look at most of the compromises, they all revolve around the exploitation of similar vulnerabilities – all with available patches, but left un-patched in production. This doesn't talk to a weakness in the platform, but a weakness in website administration,” he continued.

“Even the largest of online brands and associated companies are unable, or unwilling, to apply appropriate website maintenance controls designed to help address these challenges. This practice becomes exponentially more important with platforms like vBulletin that are challenging to deploy and keep maintained, but are littered with exploitable vulnerabilities,” said Perez.

According to Motherboard, at the the time of writing, Brazzersforum was unavailable to users. But for those account holders who previously did use the Brazzerforum site, the hack could prove especially embarrassing because some may have expressed their sexual desires and proclivities in written form.

Jon Geater, CTO at Thales e-Security, told SCMagazineuk.com, “This kind of hack highlights the complexity of maintaining personal privacy and security online, and keeping your private life private. Although this particular incident concerns an adult site, the flaw came from a piece of generic shared software that is also used on many other sites.”

“The Brazzers hack shows how breaches can come from any direction and leave users exposed. What we learn from this is the need for safe words – and by that I mean not reusing the same passwords,” said James Maude, senior security engineer at Avecto, in a cheeky email to SCMagazine.com. “Simple password hygiene would go a long way to protecting users in cases like this. Using unique passwords for each site might seem daunting but password managers make it easy and they are readily available these days. In the scheme of things this isn't a particularly ground-breaking breach. However, it will no doubt be fetishized by onlookers and the media due to the salacious nature of the content.”

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS