Massive Hentai Database Leak, Exposing More Than 1 Million Sensitive User Information

19/08/2019

With the internet growing, so does digitized pornography.

When people expect that consuming porn on the internet would allow them to be free from others knowing their preferences, they are wrong. When Brazzers was hacked in 2016 for example, hundreds of thousands of users data were leaked to the public web.

This time, a similar thing happened to Luscious.net, the adult website dedicated to the hentai genre.

It had its database opened to the public internet, exposing usernames, email addresses, activity logs, and location data for its 1.195 million users..

The team at vpnMentor who discovered the leak, said that the database has some of the email addresses associated to the users' real names registered to Luscious.net.

Some of the information are even tied to location data, and are more than enough to associate specific Luscious accounts with their owners.

Screenshot of Luscious leaked database entry
Screenshot of Luscious leaked database entry. (Credit: vpnMentor)

According to vpnMentor team on a blog post:

"The impact of this data breach on users could be devastating, personally and financially. Activity on adult sites like Luscious is the most private in nature, and nobody ever expects it to be revealed."

Making things worse, the team noted that they were able to access users' video uploads to the site, meaning that some of the database entries had tied some of the users' real names to their uploaded pornographic images.

This incident would allow blackmailers or extortionists to have the ability to surreptitiously gather these account holders' personal details for malicious purposes.

The breach was discovered on August 15th, 2019, and after being notified by vpnMentor, Luscious.net quickly fixed the issue on August 19th.

However, that doesn't mean that no harm was done.

The team only found the database to be open for anyone to see, with no data about whether anyone else had found it in prior of its finding. But still, "it’s still possible that other hackers could have accessed it earlier and extracted the same data we viewed."

"A greater issue of concern is the fact that many users joined Luscious on official government emails," noted vpnMentor. "We found examples of this from users in Brazil, Australia, Italy, Malaysia, and Australia."

The team at vpnMentor suggested that Luscious.net users to change their account details, including their usernames and associated email address.

"For adult-themed websites, or any other websites of a sensitive nature, always create a username completely unrelated to your personal email address or any other online account," the team continued.

"If you have revealed your location on Luscious, remove this detail from your profile. You can also change your location using a VPN."

The vpnMentor research team discovered the breach in Luscious’s databases as part its web mapping project. The team used port scanning to examine particular IP blocks and test open holes in systems for weaknesses, and examine each hole for data being leaked.

"Our team was able to access this database because it was completely unsecured and unencrypted," said the team.