SafetyDetective's security research team, led by Anurag Sen, has discovered a significant data leak stretching into 11 billion records at adult live-streaming website CAM4.com, belonging to Irish company Granity Entertainment.
The server’s database size exceeded 7 terabytes with production logs dating from March 16, 2020 and increasing daily. The unsecured database included a significant amount of both user and company information with the vast majority of email data records referring to users in the US.
The Ireland-based company was immediately contacted and the server was secured shortly afterwards. After reaching out to CAM4.com directly, the security team received a prompt response and was also advised to inform another company called Smart-X.net. Upon further investigation, the team discovered that both domains (CAM4.com and Smart-X.net) are owned by parent company Surecom Corp.
The number of records leaked amount to 10.88 billion, including personally identifiable information (PII). According to the research team, millions of PII entries were available for public view without adequate security measures, including:
- First and last names
- Email addresses
- Country of origin
- Sign-up dates
- Gender preference and sexual orientation
- Device information
- Miscellaneous user details such as spoken language
- Payments logs including credit card type, amount paid and applicable currency
- User conversations
- Transcripts of email correspondence
- Inter-user conversations
- Chat transcripts between users and CAM4
- Token information
- Password hashes
- IP addresses
- Fraud detection logs
- Spam detection logs
In total, around 11 million records contained emails with some entries containing multiple email addresses relating to users from multiple countries. The security team managed to obtain a broad-based country-by-country view of exposed email records, although not all countries are listed.
*Image courtesy of SafetyDetective
The security team also discovered 26,392,701 entries with passwords hashes with a proportion of hashes belonging to CAM4.com users and some from website system resources.
Data Breach Impact
From the large number of discovered records and the type of information available, several negative outcomes are at risk of occurring including identity theft, phishing scams, website attacks and blackmail, says the security team, as full names, emails, and password hashes could also be used to identity users’ real identity and commit various types of deception and fraud.
For the full report, includes images, visit https://www.safetydetectives.com/blog/cam-leak-report/