Nearly 800,000 Brazzers users’ credentials exposed

Account login credentials of nearly 800,000 Brazzers porn site users have been stolen in 2012, but the breach has only now come to light, after the data dump was obtained by breach monitoring site Vigilante.pw.

Apparently, the credentials were stolen by attackers who leveraged a vBulletin vulnerability to dump the user database of Brazzersforum.com, a site that at the time was managed by a third party.

According to Brazzers’ PR manager Matt Stevens, the “incident” happened in 2012, but the data appeart to have been first dumped online – and likely offered for sale – in April 2013.

Vigilante.pw shared the dump with Motherboard, and they have reached out to some users and have confirmed the legitimacy of the dump. Curiously enough, some said that they never used the forums.

Stevens told the news outlet that “users’ accounts were shared between Brazzers and the ‘Brazzersforum’ which was created for user convenience.”

The data dump includes a little over 790,000 unique email addresses, with associated usernames and plaintext passwords.

After the breach, Brazzers “took corrective measures.” Stevens also says that, after reviewing the data dump, they “banned all non-active accounts in that list in case those usernames and passwords are re-used in the future.”

As Troy Hunt from Have I Been Pwned? commented, as sensitive as this data might be due to the fact that it can reveal the identity of Brazzers users, it’s also doubly so as it can also reveal their sexual preferences and private messages posted and sent through the forum.

At least one of the affected users that has been contacted said that he used a throwaway login/pass for the account, so that it can’t be traced back to him.

“This kind of hack highlights the complexity of maintaining personal privacy and security online, and keeping your private life private,” Jon Geater, Chief Technology Officer, Thales e-Security, commented for Help Net Security.

“Although this particular incident concerns an adult site, the flaw came from a piece of generic shared software that is also used on many other sites. So with generic software bugs all over the Internet and consumers reusing email addresses and passwords reused for many different purposes, there is total uncertainty about what parts of your online – and real – identity are safe and which might be exposed to public gaze.”