'Upskirt' porn website hit with massive data leak exposing 180,000 voyeurs
Leak contained a number of military and government emails and IP addresses.
The personal details of roughly 180,000 members of an underground pornography community focused on sharing voyeuristic images and so-called "upskirt" pictures of unsuspecting women have been leaked online due to a misconfigured database.
The full trove of leaked personal details contain 178,201 unique email addresses, alongside usernames, hashed passwords, dates of birth, IP addresses and a series of website logs – such as 'join date', 'last post date' and 'reputation' point statistics. There was no financial data included.
The website in question, The Candid Board, is dedicated to images, videos and forum posts about women who appear to be unaware they are being photographed or recorded – in many cases while sunbathing on beaches or socialising in bars.
"We do not want to limit people by a narrow definition of what is and what is not 'candid'. Basically anything un-posed and non-professional is allowed as long as no board rules are broken," the website states in an FAQ. Subscriptions are priced at $19.99 a month.
IBTimes UK obtained the leaked details from a source who wished to remain anonymous. The details from the leaked database, which has now been secured, were reportedly obtained from September 2015. They were being managed by a US-based cloud hosting provider called Webair.
"Rather than try to track down a forum administrator, who probably doesn't want to be tracked down, I decided to contact the hosting company Webair," our source said. "I made my way through an automated system and pushed the buttons for tech support.
"When I described the issue to the support on the other side, he immediately understood what the problem was. It was almost as if they were aware of the problems in their system. We didn't talk for long. He said he would contact the client and then we hung up."
Upon analysis, there were 19 .gov email addresses with domains including wales.gsi.gov.uk, education.tas.gov.au, bom.gov.au and houstontx.gov. There are also nearly 70 .mil records, the majority of which were us.army.mil (32) and navy.mil (6).
When tested, a number of the IP numbers in the leak appeared to match their corresponding email address. In one example, an IP search for the person using the email "wales.gsi.gov.uk" brought up the result: http://host246.welsh-ofce.gov.uk.
"It's been secured, but I still have a large chunk of data from multiple boards operated by this group," our source added, in reference to another leaked database holding tens of thousands of records from a separate website called NonNudeGirls.
This member data, also obtained by IBTimes UK, included usernames, IP addresses and plain-text passwords. Both affected pornography websites are listed as being run from the same address in Cyprus, under the name GreenArrowMedia.
In both instances, IBTimes UK attempted to verify the leaked emails by contacting a sample of those included, but received no responses. A number of the email addresses – from Gmail, Hotmail and Yahoo domains – were listed as "not available" when tested with the relevant sign-up process.
Troy Hunt, a security expert who manages breach notification website HaveIBeenPwned, has uploaded the data to his service, however it will only be discoverable by verified owners of the data due to its sensitive nature. It will not be publicly searchable to protect identities.
"It's amazing how much personal data people will entrust sites of this nature with," Hunt said. "Members provided accurate email addresses and birthdates which combined with their IP address now very clearly ties them back to a site of very questionable legal status."
IBTimes UK contacted The Candid Board for comment via its support email address, however had received no response at the time of publication.
Over the past 12 months, there have been a number of high-profile data leaks due to misconfigured databases, often left connected to the web without adequate username and password protection.
Last year Mexico, Turkey and the Philippines each suffered massive leaks of citizen voter registration data, while another incident saw the World-Check database, holding over 2.2 million records on individuals with suspected criminal links, leaked online.
© Copyright IBTimes 2024. All rights reserved.