Adult Live-Streaming Website Leaks 10.88 Billion Records

Outsourcing Data: Don't Take a Fairytale Approach

May 5, 2020

SafetyDetective's security research team, led by Anurag Sen, has discovered a significant data leak stretching into 11 billion records at adult live-streaming website CAM4.com, belonging to Irish company Granity Entertainment.

The server’s database size exceeded 7 terabytes with production logs dating from March 16, 2020 and increasing daily. The unsecured database included a significant amount of both user and company information with the vast majority of email data records referring to users in the US.

The Ireland-based company was immediately contacted and the server was secured shortly afterwards. After reaching out to CAM4.com directly, the security team received a prompt response and was also advised to inform another company called Smart-X.net. Upon further investigation, the team discovered that both domains (CAM4.com and Smart-X.net) are owned by parent company Surecom Corp.

Leaked Records

The number of records leaked amount to 10.88 billion, including personally identifiable information (PII). According to the research team, millions of PII entries were available for public view without adequate security measures, including:

First and last names
Email addresses
Country of origin
Sign-up dates
Gender preference and sexual orientation
Device information
Miscellaneous user details such as spoken language
Usernames
Payments logs including credit card type, amount paid and applicable currency
User conversations
Transcripts of email correspondence
Inter-user conversations
Chat transcripts between users and CAM4
Token information
Password hashes
IP addresses
Fraud detection logs
Spam detection logs

In total, around 11 million records contained emails with some entries containing multiple email addresses relating to users from multiple countries. The security team managed to obtain a broad-based country-by-country view of exposed email records, although not all countries are listed.

What was leaked?

*Image courtesy of SafetyDetective

The security team also discovered 26,392,701 entries with passwords hashes with a proportion of hashes belonging to CAM4.com users and some from website system resources.

Data Breach Impact

From the large number of discovered records and the type of information available, several negative outcomes are at risk of occurring including identity theft, phishing scams, website attacks and blackmail, says the security team, as full names, emails, and password hashes could also be used to identity users’ real identity and commit various types of deception and fraud.

For the full report, includes images, visit https://www.safetydetectives.com/blog/cam-leak-report/

How can you advance your career in the security industry with the skills and competencies necessary to benefit your organization? What will the security executive and the security function of the future look like? Join us as we hear from veterans in the security industry about their experiences, their lessons learned, and best practices for advancing their careers.