A misconfigured database containing 7 terabytes of sensitive user and company information related to adult live streaming site CAM4 has been found leaking data.
The database apparently contains 10.88 billion records, which contain different combinations of sensitive information such as: names, email addresses, usernames, gender preference and sexual orientation, payment information, IP addresses, as well as user and inter-user conversations, chat transcripts between users and CAM4, fraud and spam detection logs, and hashed passwords.
CAM4 leaking data
Luckily for the users and Irish company Granity Entertainment, which owns CAM4.com, the discovery was made by security researchers with Safety Detectives, not malicious actors.
Once the researchers tied the leaking database to the source, they notified Granity Entertainment and the database was pulled offline.
The researchers’ analysis of the leaked data revealed around 11 million records containing emails, 26+ million entries with passwords hashes, and a few hundred entries containing full names, credit card types and payment amounts.
As the researchers noted, the various data could be used to identify some users.
“User emails could be targeted with leaked data then used maliciously to trigger clicks with phishing and malware scams deployed against unsuspecting targets,” they pointed out.
“The fact that a large amount of email content came from popular domains such as Gmail, Hotmail and iCloud — domains that offer supplementary services such as cloud-storage and business tools — means that compromised CAM4 users could potentially see huge volumes of personal data including photographs, videos and related business information leaked to hackers — assuming their accounts were eventually hacked via phishing as one example. This information could then be weaponized to compromise other individuals and groups such as family members, colleagues, employees and clients of other businesses.”
In addition to this, some of the data could be used to extort money from CAM4 users. While there is nothing to prevent cyber extortionists to target random users/email addresses with threatening emails, the probability of success is higher if they can demonstrate that they do know something about the victim.
Compromised fraud detection logs, on the other hand, can enable hackers to understand how cybersecurity systems have been set up, and website backend data could be harnessed to exploit the website and create threats including ransomware attacks, the researchers pointed out.
There is no indication at the moment that the database has been accessed by anyone else except authorized users and the researchers. Still, if it was exposed / unsecured long enough, chances are good that someone else did have a peek.
The company will hopefully investigate the matter further and notify affected users if necessary.