Our security research team, led by Anurag Sen, has discovered a significant data leak stretching into billions of records at adult live-streaming website CAM4.com, belonging to Irish company Granity Entertainment.
The server’s database size exceeded 7 terabytes with production logs dating from 16 March 2020 and increasing daily.
The unsecured Elastic Search database included a significant amount of both user and company information with the vast majority of email data records referring to users in the US.
The Ireland-based company was immediately contacted and the server was secured shortly afterwards.
Who is CAM4?
CAM4 is a live streaming “cam model” website providing explicit content intended only for adults.
CAM4 is predominantly used by amateur webcam performers with site customers able to purchase virtual tokens that can be used to tip performers or watch private shows.
According to news reports, CAM4 has paid out more than US$100 million in performer commissions since its inception in 2007.
Surecom Corp connection
After reaching out to CAM4.com directly, our security team received a prompt response and also advised us to inform another company called Smart-X.net.
Upon further investigation, our team discovered that both domains (CAM4.com and Smart-X.net) are owned by parent company Surecom Corp.
What was leaked?
|Number of records leaked:||10.88 billion including personally identifiable information (PII)|
|Number of customers/users affected:||Unknown|
|Server size:||7 terabytes|
|Server location:||Netherlands, hosted by Mojohost B.v|
|Company location:||Ireland (also registered in other jurisdictions)|
According to the research team, millions of PII entries were available for public view without adequate security measures, including:
- First and last names
- Email addresses
- Country of origin
- Sign-up dates
- Gender preference and sexual orientation
- Device information
- Miscellaneous user details such as spoken language
- Payments logs including credit card type, amount paid and applicable currency
- User conversations
- Transcripts of email correspondence
- Inter-user conversations
- Chat transcripts between users and CAM4
- Token information
- Password hashes
- IP addresses
- Fraud detection logs
- Spam detection logs
Logs reveal user password information
The email count exceeded several million although the exact number could not be accurately gauged because of multiple entries.
According to the research team, a large volume of emails was sourced from major email domains such as gmail.com, icloud.com and hotmail.com.
However, many pieces of private information were not available while password fields were masked in the instances seen by our investigators.
Database contained user activity and login dates for public view
In total, around 11 million records contained emails with some entries containing multiple email addresses relating to users from multiple countries. Our team managed to obtain a broad-based country-by-country view of exposed email records, although not all countries are listed.
US, Brazilian and Italian users were the most heavily affected although the precise number of email records is difficult to gauge accurately due to multiple entries being duplicated. As expected, countries such as the UAE, Saudi Arabia and Iran all had zero entries given the fact that these countries ban adult content domestically.
The security team also discovered 26,392,701 entries with passwords hashes with a proportion of hashes belonging to CAM4.com users and some from website system resources.
Altogether, a “few hundred entries” revealed full names, credit card types and payment amounts. The combination of all three is a critical aspect — as opposed to having limited access to just payment amounts without full names — because in unison they create a far greater security risk compared to just one or two information points in isolation.
According to the investigation carried out by our security team, it is unclear to whom the various information refers to – either content providers or content viewers. However, it may be the case that all users have the option to post videos if they choose.
Purchase details with email
Data Breach Impact
From the large number of discovered records and the type of information available, several negative outcomes are at risk of occurring including identity theft, phishing scams, website attacks and blackmail.
Full names, emails, and password hashes could also be used to identity users’ real identity and commit various types of deception and fraud.
User emails could be targeted with leaked data then used maliciously to trigger clicks with phishing and malware scams deployed against unsuspecting targets.
The fact that a large amount of email content came from popular domains such as Gmail, Hotmail and iCloud — domains that offer supplementary services such as cloud-storage and business tools — means that compromised CAM4 users could potentially see huge volumes of personal data including photographs, videos and related business information leaked to hackers — assuming their accounts were eventually hacked via phishing as one example.
This information could then be weaponized to compromise other individuals and groups such as family members, colleagues, employees and clients of other businesses.
The availability of fraud detection logs enables hackers to better understand how cybersecurity systems have been set up and could be used as an ideal verification tool for malicious hackers, as well as, enabling a greater level of server penetration.
Moreover, website backend data could be harnessed to exploit the website and create threats including ransomware attacks.
Possibly the greatest risk in both financial and reputational respects is the risk of blackmail scams that could be deployed against users who believe they are anonymous when sharing compromising data and content.
Preventing Data Exposure
How can you prevent your personal information from being exposed in a data leak and ensure that you are not a victim of attacks – cyber or real-world – if it is leaked?
- Be cautious of what information you give out and to whom
- Check that the website you are on is secure (look for https and/or a closed lock)
- Only give out what you feel confident cannot be used against you (avoid government ID numbers, personal preferences that may cause you trouble if made public, etc.)
- Create secure passwords by combining letters, numbers, and symbols
- Do not click links in emails unless you are sure that the sender is legitimately who they represent themselves to be
- Double-check any social media accounts (even ones you no longer use) to ensure that the privacy of your posts and personal details are visible only to people you trust
- Avoid using credit card information and typing out passwords over unsecured Wi-Fi networks
- Find out more about what constitutes cybercrime, the best tips to prevent phishing attacks, and how to avoid ransomware
is the world’s largest antivirus review website.
The SafetyDetectives research lab is a pro bono service that aims to help the online community defend itself against cyber threats while educating organizations on how to protect their users’ data.
Published on: May 4, 2020