The details of nearly 800,000 Brazzers forum users have been leaked.
Back in 2009, it won the AVN Award for Best Adult Website. Three years later, private information of 790,724 users were subject to a breach. It's a privacy nightmare, akin to the Ashley Madison data dump in 2015.
As if having users' porn habits leaked wasn't bad enough, this could have even wider implications.
What Happened?
We should've seen something like this coming. Some are billing this as affecting everyone who has ever visited an adult website, but that's not the case at all. Nonetheless, it does hint towards a widespread vulnerability that might affect the majority of sites with a discussion forum.
But first, let's focus on what happened to Brazzers, among the top 125,000 most popular websites in the world. If we limit the Alexa search to just India, it's in the top 25,000. That might seem like nothing, but considering there are around 1 billion sites on the internet, it's pretty impressive.
The breach occurred in 2012, which is admittedly a long time ago. It's among a number of leaks from that year that we've bizarrely only just heard about, including LinkedIn and Dropbox, the latter of which affected some 68 million users.
Brazzers itself wasn't breached -- instead, it was its forum, which is actually more worrying. Plus, normal Brazzers account holders might still have cause for concern. Matt Stevens, the site's public relations manager, explains:
The incident occurred because of a vulnerability in the said third party software, the "vBulletin" software, and not Brazzers itself. That being said, users' accounts were shared between Brazzers and the "Brazzersforum" which was created for user convenience. That resulted in a small portion of our user accounts being exposed and we took corrective measures in the days following this incident to protect our users.
That's all well and good, but nobody was informed when it actually happened. It's far from the admirable way Moonfruit dealt with a recent attack.
Usernames, email addresses, and passwords were leaked, but the forum was a place for folk to discuss their deepest desires: whereas before, those fantasies were hidden behind a mysterious username, this links users' particular quirks with their email addresses.
Though the dataset included 928,072 emails, many were duplicates. That still leaves 790,724 unique users affected.
How Could This Get Any Worse?
You might think there wasn't much of an impact considering we've only just heard about it. After all, if victims came out of this badly, we'd have heard about it already. It is, however, very concerning, especially with the rise in sextortion.
But there are two main reasons this could be worse than it initially sounds.
The first is that these passwords were in plain text. You may be wondering how responsible websites securely store passwords. The answer is, not as plain text. There's nothing secure about plain text. This means that, if someone were to gain access to a dataset that includes your password, it would read exactly how you input it. It wouldn't matter if your password were the most complicated seemingly-secure passphrase of all time: a hacker could just read it.
Plain text means no encryption, no salting, no hashing. It's absolutely insane that any site still stores something important in that form. Users of porn sites especially expect a very high level of encryption, but this Brazzers breach reminds us that even some of the most popular sites use insecure approaches to your private information.
Further hacks of vBulletin revealed that the forum software allows users to encrypt passwords as they like, so we can infer that Brazzers itself is responsible for using plain text.
The core concern, however, is exactly that it was a vulnerability in vBulletin -- which is used by nearly 40,000 live sites. Patches for vulnerabilities have been made, but they naturally rely on the sites' administrators to upgrade. And that's a problem.
GTA Fans Were Also Affected
The details of nearly 200,000 accounts on GTAGaming, a site dedicated to the acclaimed Grand Theft Auto series, were leaked last month, including email addresses, dates of birth, IP addresses, and passwords, the latter at least hashed twice (although only with the M5 algorithm) and salted. It's prompted the site to ditch vBulletin altogether:
We have now closed the forums permanently, and any accounts not updated within the next couple weeks will be deleted from the database. We will be moving the account database into a more secure authentication system, removing all trace of the vBulletin forum software, and until then will be keeping a close eye to prevent any further compromises.
Considering the number of high-profile sites that use vBulletin -- notably including ubuntuforums.org, the official forum for the Linux operating system -- a major problem with vBulletin could cause serious trouble. VBulletin itself was attacked last year, resulting in all users having to change their passwords, as was the developers' linked site, VBTeam.
What Can You Do?
The first thing you should do is check whether your email address was part of the leak. If you're on Brazzers, it's well worth doing. If you're not, you can still check out Have I Been Pwned?, which will tell you whether you've been victim of any breaches, whether on NSFW sites, social media sites like MySpace, or your email provider like Gmail.
If you have been victim, you certainly need to change your password, both on Brazzers' Forum and on your email address. Just because your data was included in the breach, that doesn't mean scammers have actually managed bombard you with spam, or spoof your address. On the other hand, as this leak was in 2012, there's a chance you'll have suffered any consequences already.
Nonetheless, if you've a Gmail account, you could check your Activity Monitor, just to make sure nothing dodgy has happened. In fact, we'd always recommend keeping track of the latest security breaches -- again, just in case.
If you're signing up to a site that might require information you'd prefer to keep private (like any embarrassing secrets), use a unique email and password that'll be tougher for potential cybercriminals to link your real name to online dealings.
And if you're an administrator on a site that relies on vBulletin, make sure you update it. The most recent patch was only last month, which came about after the forums of the multiplayer Dota 2 were breached, affecting 1.9 million accounts.
What Lessons Can Be Learned?
It's not the fault of those using the Brazzers forum, but users of that discussion community should still be be extra vigilant if inputting sensitive data. Anyone using further adult sites should take note too.
It's about time companies realized that passwords aren't safe using M5 encryption, let alone plain text! If you spot a site using the latter, you should inform Plain Text Offenders.
What further tips do you have for anyone affected, or indeed anyone worried that a similar site might be the target of hackers?
