More than 1.1 million users who expected anonymity from the popular hentai porn site, Luscious, have been victims of a data breach. The site unintentionally left a database unprotected that allowed anyone with access and potentially identify the members and users of the sites through their non-public email addresses.
Luscious is an adult site that caters mainly to a niche of people interested in hentai and manga pornography. The site focuses specifically on user-generated, mostly animated, pornographic content, and has become one of the most popular sites in the United States. According to the data from Alexa, the site ranks in the top 5,000 websites in the U.S.
A research team from vpnMentor, led by Noam Rotem and Ran Locar, discovered a data breach that compromises a supposedly anonymous data of users who has accounts in the Luscious site. Researchers claim that an unprotected database containing identifiable information of users have been available online for those who know how to look for one.
The unprotected database contained information that the site has promised not to disclose to anyone. What the researchers discovered appeared to be the site’s back-end database that includes more than 235,000 albums, 30,000 user blog posts, and 900 videos. Furthermore, the leaked database also contains details of the site’s 19.7 million photos.
The researchers revealed that each user in the site has had themselves a profile set up, which allow users to upload, share, comment on, and discuss content on Luscious. As a rule of thumb for pornographic websites and fora, all of these are understood to be hidden through usernames instead of the users’ sensitive credentials.
“The data breach our team discovered compromises this anonymity by potentially allowing hackers to access the personal details of users, including their personal email address. The highly sensitive and private nature of Luscious’ content makes users incredibly vulnerable to a range of attacks and exploitation by malicious hackers,” said the researchers from vpnMentor.
The database was first discovered last August 15 and was later on disclosed to the company on August 16. However, the database was only closed down today.
Researchers and even journalists was not able to get an immediate response from the site administrator, whose email came first in the list of the exposed emails.
“The data breach gave our team access to 1.195 million user accounts on Luscious. All of these were compromised, revealing personal details of users with potentially devastating consequences,” the researchers added.
The information that was contained in the leaked database includes their usernames and email addresses. The researchers highlighted that at least 20% of the users had used faux email addresses, which indicates that some of them have taken extra steps to keep their identities hidden.
Aside from email addresses and usernames, the database also contained data like user activity logs, or the record of their signup and their most recent login, country of residence/location, as well as gender.
Because of the leaked database, the porn site essentially gave people the chance to access user activities within the website. It allowed the researcher to complete an overview of user activities and view things like:
- The number of image albums they had created
- Video uploads
- Blog posts
- Followers and accounts followed
- Their User ID number – so we can know if they’re active or have been banned
The information disclosed in the database is enough for people to create an accurate approximation of how a user is using Luscious.
“While some of this information is visible to other users, much of it was hidden in the website’s database. All of this combined information creates valuable insights into how people use Luscious,” the researchers said.
The researchers were also able to gain access to the things users are posting, including blog posts and content published on Luscious. This included the author’s details, along with the number of likes, when published, category, etc. They said that some of these disclosed blog posts were “extremely personal” and are meant by the users to be kept anonymous.
The researchers warn that the data contained in the leaked database is enough for a threat actor to launch a cyber attack to an unsuspecting victim, including doxing, phishing, and extortion. They encourage users to change their Luscious login to contain the breach immediately.
“We suggest you immediately change your Luscious account details, including your username, and associated email address. For adult-themed websites, or any other websites of a sensitive nature, always create a username completely unrelated to your personal email address or any other online account,” they said.