A team of researchers from SafetyDetectives reports the discovery of a data breach involving billions of records from CAM4.com, an adult live streaming website owned by Irish company Granity Entertainment. According to the experts of the cyber security consulting company, this database contains more than 7 TB with daily records that even continue to increase.
The database exposed is an Elasticsearch implementation that includes a significant amount of information from both users and businesses, the vast majority of records belong to users in the U.S., primarily the email addresses found. The Ireland-based company was contacted immediately after the find and improper access was soon shut down.
Regarding the affected site, CAM4 is a “cam models” platform that provides adult streaming services. This site is mainly used by amateur models that receive tips via virtual tokens; according to a recent report, CAM4 has paid more than $100 million in commissions to its models since its inception more than 10 years ago.
From the research, experts from the cyber security consulting company discovered that the affected site is owned by parent company Surecom Corp. According to the research team, millions of PII entries were available for public view without adequate security measures; the information provided includes details such as:
- Full names
- Email addresses
- Country of origin
- Enrollment dates
- Gender preference and sexual orientation
- Device information used for streaming
- Usernames
- Payment records, including card type and payment amount, among other data
In addition, the database contained user activity and login dates. In total, about 11 million records contained emails with some entries containing multiple email addresses related to users from multiple countries. Researchers obtained a comprehensive sample of records, country by country.
For obvious reasons, this leak exposes users and models to various risks, the experts of the cyber security consulting company mention. Threat actors could use full names, email addresses, and hashed passwords to identify the actual identity of some users for fraudulent purposes. Using a larger set of data could also be useful in some phishing campaigns or malware delivery for information theft, says the International Institute for Cyber Security (IICS).
For security, users and models could reset their passwords, implement a multi-factor authentication system, and remove their payment card information from the affected site.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.