Several camgirl websites, operated by Barcelona-based VST Media have been exposed. The exposure of data affects both sex workers and users.
The reason for the exposure is an unprotected back-end database. Affected users are mostly based in Span and Europe, but TechCruch says they found victims across the whole word, the United States included.
Which camgirl websites were affected?
Three of the affected websites are amateur.tv, webcampornoxxx.net, and placercams.com. Alexa traffic data reveals that amateur.tv is quite popular in Spain, meaning that the number of affected users there is likely bigger.
We have seen this scenario play out multiple times – exposing unprotected databases that contain plenty of data. In this case, the database contained “months-word of daily logs of the site activities”, TechCrunch said, and it was left without a password for weeks.
What did the logs include?
Detailed records of when the users logged in the websites, usernames and in some cases user-agents and IP addresses were also exposed. All these details are classified as personally identifiable information, as they can be used to reveal the identify of users. In addition, the logs also contained users’ private chat messages exchanged with other users, and promotional emails received from the camgirl websites.
But that’s not all. The data also revealed the videos the affected users were watching and renting. And to make things worse – the camgirls’ information is also compromised, as some of their account information was also exposed.
The database was shut off last week, which allowed TechCrunch to share their findings.
What are the consequences for VST Media, owner of the camgirl websites?
Given both the company and its servers are located in Europe, the exposure of sexual preferences would fall under the “special categories” of GDPR rules, which require more protections. Companies can be fined up to 4% of their annual turnover for GDPR violations.
In August, 2019, the adult website Luscious.net was also breached. Leaked data belonging to 1.195 million users contained usernames, email addresses, activity logs, and location details. The incident was discovered on August 15, and the problem was fixed by Luscious on August 19.