1 million YouPorn users exposed; data breach required no security penetration
Investigators probe YouPorn over non-consensual penetration, find poor safe-computing practices
Some stories make you want to wash your hands afterward. With others it's simpler to just wear vinyl gloves while you type.
This is one of the latter.
A hack that penetrated the user database at YouPorn, one of the largest free porn sites on the web, became public knowledge this week when some user data, including email addresses and were posted on Swedish web forum Flashback.org.
The sample that was published there is a subset of the data that was stolen – more than a million user names and passwords from YouPorn's chat section at chat.youporn.com. The chat site was taken down yesterday.
The hack didn't need to probe the most secure dataspace on the YouPorn site, according to EuroSecure, a Swedish security distributor that analyzed the breach.
Sometime around November, 2007, a "careless programmer" left the debug logging function turned on on the main YouPorn server farm, according to Anders Nilsson, CTO at EuroSecure.
Debug logging is usually turned off after the last round of update testing during any web server migration, but this one, somehow, was not,
Worse than just collecting performance data and configurations, the debug log collected copies of every new registration at the site since it was turned on.
Debug logs are typically available through publicly accessible URLs, so programmers testing the site can examine the results without having to log directly into the server.
"The data was found by someone sweeping websites for publicly accessible, but non-linked ('hidden') folders, looking for either porn or sensitive material like this, and struck gold," Nilsson told TheRegister.
The YouPorn exposure wasn't really a hack, since the data was available on a public, non-advertised URL, so it's not a good comparison with the hack of the Brazzers porn portal last week, Nilsson said.
A 17-year-old hacker from Morocco claimed to have broken into the Brazzers site and stolen the personal information of 350,000 users. He posted some of the data to prove he did it.
He did not get any credit-card data, Brazzers spokespeople told the Associated Press.
The Moroccan, who claimed affiliation with Anonymous, got into the site via an inactive but linked user forum, according to Brazzers.
The hacker said he cracked the porn site to expose security flaws and weaknesses.
"I didn't do that for any money," he told the AP in an email.
That makes two major porn-site hacks in two weeks, though the two appear unconnected.
Other porn sites should watch their step and tighten their security, though, if they don't want to risk being covered by writers who can't resist horrible puns in stories about anything salacious or tawdry. Brazzers, YouPorn (and CIA.gov, come to think of it) qualify as both.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.
