It’s all too common for companies to leave databases chock full of sensitive information exposed to the great wide internet. But when that company operates an adult livestreaming service, and that data comprises 7 terabytes of names, sexual orientations, payment logs, and email and chat transcripts—across 10.88 billion records in all—the stakes are a bit higher.
The site is CAM4, a popular adult platform that advertises “free live sex cams.” As part of a search on the Shodan engine for unsecured databases, security review site Safety Detectives found that CAM4 had misconfigured an ElasticSearch production database so that it was easy to find and view heaps of personally identifiable information, as well as corporate details like fraud and spam detection logs.
“Leaving their production server publicly exposed without any password,” says Safety Detectives researcher Anurag Sen, whose team discovered the leak, “it’s really dangerous to the users and to the company.”
First of all, very important distinction here: There’s no evidence that CAM4 was hacked, or that the database was accessed by malicious actors. That doesn’t mean it wasn’t, but this is not an Ashley Madison–style meltdown. It’s the difference between leaving the bank vault door wide open (bad) and robbers actually stealing the money (much worse).
“The team concluded without any doubt that absolutely no personally identifiable information, including names, addresses, emails, IP addresses or financial data, was improperly accessed by anyone outside the SafetyDetectives firm and CAM4’s company investigators,” the company said in a statement.
The company also says that the actual number of people who could have been identified was much smaller than the eye-popping number of exposed records. Payment and payout information could have exposed 93 people—a mix of performers and customers—had a breach occurred, says Kevin Krieg, technical director of Smart-X, which manages the CAM4 database. Safety Detectives put the number at “a few hundred.”
The mistake CAM4 made is also not unique. ElasticSearch server goofs have been the cause of countless high-profile data leaks. What typically happens: They’re intended for internal use only, but someone makes a configuration error that leaves it online with no password protection. “It’s a really common experience for me to see a lot of exposed ElasticSearch instances,” says security consultant Bob Diachenko, who has a long history of finding exposed databases. “The only surprise that came out of this is the data that is exposed this time.”
And there’s the rub. The list of data that CAM4 leaked is alarmingly comprehensive. The production logs Safety Detectives found date back to March 16 of this year; in addition to the categories of information mentioned above, they also included country of origin, sign-up dates, device information, language preferences, user names, hashed passwords, and email correspondence between users and the company.
Out of the 10.88 billion records the researchers found, 11 million contained email addresses, while another 26,392,701 had password hashes for both CAM4 users and website systems.
“The server in question was a log aggregation server from a bunch of different sources, but server was considered non-confidential,” says Krieg. “The 93 records got into the logs due to a mistake by a developer who was looking to debug an issue, but accidentally logged those records when an error happened to that log file.”
It’s hard to say exactly, but the Safety Detectives analysis suggests that roughly 6.6 million US users of CAM4 were part of the leak, along with 5.4 million in Brazil, 4.9 million in Italy, and 4.2 million in France. It’s unclear to what extent the leak impacted both performers and customers.
Again, there’s no indication that bad actors tapped into all those terabytes of data. And Sen says that CAM4’s parent company, Granity Entertainment, took the problematic server offline within a half hour of being contacted by the researchers. That doesn’t excuse the initial error, but at least the response was swift.
Moreover, despite the sensitive nature of the site and the data involved, it was actually fairly difficult to connect specific pieces of information to real names. “You really have to dig into the logs to find tokens or anything that would connect you to the real person or anything that would reveal his or her identity,” says Diachenko. “It should not have been exposed online, of course, but I would say it’s not the scariest thing that I’ve seen.”
How Bad Is It?
Which is not to say that everything’s totally fine. If anyone were to have done that digging, they could have found out enough about a person—including sexual preferences—to potentially blackmail them. On a more mundane level, CAM4 users who reuse their passwords would be at immediate risk for credential stuffing attacks, potentially exposing any accounts where they don’t use strong, unique credentials.
Or consider the inverse: If you have the email address of a CAM4 user, Sen says, there’s a decent chance you can find an associated password from a previous data breach, and break into their account.