The incident was discovered Security Detectives and Anurag Sen. The PII was stored on more than 10.88 billion database records. At fault is a misconfigured Elasticsearch cluster.
CAM4 Data Breach: What Happened?
The PII was leased because one of the website’s production databases was left open to the Internet on a misconfigured Elasticsearch server. CAM4 has approximately 2 billion visitors a year, with member streaming more than 1 million hours of adult content weekly. This makes over 75,999 private shows being broadcast every day.
The good news is that the unsecured database was immediately taken down by Granity Entertainment, the Irish parent company of CAM4, shortly after the incident was reported.
What was in the exposed CAM4 member records?
Apparently, the CAM4 user records contained various PII in different combinations, including names, sexual orientation, emails, IP addresses, email message transcripts, and even private conversations of users.
More precisely, the database contained the following types of sensitive information:
- First and last names
- Email addresses
- Country of origin
- Sign-up dates
- Gender preference and sexual orientation
- Device information
- Miscellaneous user details such as spoken language
- Payments logs including credit card type, amount paid and applicable currency
- User conversations
- Transcripts of email correspondence
- Inter-user conversations
- Chat transcripts between users and CAM4
- Token information
- Password hashes
- IP addresses
- Fraud detection logs
- Spam detection logs
In addition, 11 million of the records also included at least one email address from email providers such as Gmail, iCloud, and Hotmail. This makes for an abundance of highly sensitive information, associated with an adult site.
US residents also exposed in the CAM4 leak
After a detailed analysis, the security researchers discovered that 6.5 million of the compromised CAM4 users are residents of the United States. Other affected nationalities include Brazilian and Italian users, according to the Safety Detectives report:
US, Brazilian and Italian users were the most heavily affected although the precise number of email records is difficult to gauge accurately due to multiple entries being duplicated. As expected, countries such as the UAE, Saudi Arabia and Iran all had zero entries given the fact that these countries ban adult content domestically.
CAM4 Data Breach: the Consequences
The availability of fraud detection logs could enable malicious hackers to better understand how cybersecurity systems have been set up, the researchers noted. This knowledge could then be exploited as an efficient verification tool for threat actors, enabling a greater level of server penetration.
Malicious attacks involving malware can also be enables, as “website backend data could be harnessed to exploit the website and create threats including ransomware attacks”.
Finally, the greatest risk is associated with the financial and reputational aspects of the compromised CAM4 users. Blackmail scams (sextortion scams) can be launched against the victims, as we have already seen happening in other similar cases.
In October 2019, Data Viper security researchers Bob Diachenko and Vinny Troia discovered a wide-open Elasticsearch server which contained “an unprecedented 4 billion user accounts spanning more than 4 terabytes of data.” The server was accessible without the need of authentication, which exposed the data of more than 1.2 billion unique individuals.