Personal information of nearly 26M members and visitors of CAM4 adult site have been exposed publicly due to unprotected ElasticSearch database
An adult-content website CAM4 counting billions of visitors yearly exposed a huge amount of personally identifiable information about its members, Security Detective researchers reported[1] in May 2020. The records have been publicly available since March 16 resulting in a 7TB database of first and last names, email addresses, country of origin, gender preferences, orientation, chat transcripts, IP addresses, payment logs, and other credentials exposure. It is estimated that over 25 million members from the U.S., Brazil, Italy, French, and Germany might have been affected.
CAM4 is a platform owned by Granity Entertainment[2]. It attracts huge traffic and has millions of registered users with a part of volunteer webcam performers, as well as people who stream video for money. The platform filters its visitors and content by female, male, transgender, or couples and exhibits various amateur sexual activities. Statistically, adult websites[3] have the biggest visitors rate in general, people expect owners to take additional security measures to protect the most sensitive information protected.
The incident with CAM4 has been described in many cybersecurity news websites and is classified as one of the most intriguing. Not only because of the nature of the website in which data has been exposed, but also the reason and the extent.
There is no proof of security breach
According to the Safety Detectives researcher Anurag Sen[4], there is no proof that the website has been hacked. The researcher claims that the managers of the platform misconfigured an ElasticSearch production database, which is a highly scalable open-source full-text search and analytics engine.
Although the probability of the hack is not excluded, experts have a clear ground to state that the platform left a bug in configuration and left the data intended for internal use with no password protection.
Elastic Stack’s consultant Bob Diachenko[5] commented on the issue and claim that there are many such cases of data leaks. The ElasticSearch is safe to use the search engine, which normally should be configured to all local access for admins. However, mistakes happen and misconfigured settings expose sensitive data to the public.
According to Bob Diachenko, admins have to be cautious and prevent scenarios like CAM4 leakage by setting up strong password protection, IP filtering, and role-based access control[6].
What data exposed and whose affected
Unfortunately, data leakage is everyday events that affect regular users, businesses, companies, and whatnot. While sometimes the exposed data is “less personal,” in this particular case the data leaked is extremely personal and have very sad consequences for the affected ones.
According to the founders of the leak, the logs stretch back to Mach 16 of 2020, which means that information has been publicly visible for more than two weeks. The numbers are even more shocking – the database is compiled of nearly 11 billion records, which all together make up 7TB.
The leak does not mean that porno videos on the website have been somehow marked by names and other personally identifiable information. However, more tech-savvy people might have seen general details of the members and visitors in the recorded database, including names, email addresses, gender preferences, usernames, payment logs, the amount paid, personal chats, password hashes, IP addresses, and others.
Sounds worrisome. Nevertheless, experts claim that CAM4 data leak is not very likely to affect visitors and members personally because, even if criminals accessed this data, the identification of real person would be a tiresome and time-consuming effort. Diachenko says that “You really have to dig into the logs to find tokens or anything that would connect you to the real person or anything that would reveal his or her identity.” Nevertheless, the risk is still here and the platform is expected to take subsequent steps to protect the privacy of its members and visitors.