Adult Streaming Website Exposes Personal Data of Millions of Users


CAM4, a popular adult live streaming service, has exposed billions of records because their server wasn’t properly protected. SafetyDetectives, an online security research team, discovered the CAM4 leak on Monday. It’s not known whether anyone with malicious intent has gained access to the data.

The website

CAM4 is a website mostly used by amateur webcam performers. It has around 2 billion visitors worldwide each year. Customers can tip performers with virtual tokens that they can buy on the website, or they can pay for a private show. It is not clear how many people were impacted by the issue, since some of the email addresses showed up in the database more than once.

The security company SafetyDetectives was researching unsecured databases, and found that CAM4 had not secured their information well enough. The Elasticsearch server used to store the data was misconfigured and was thus left unprotected. The data that was exposed comprises 7 terabytes of information, including names, country of origin, sexual orientation, payment information, password hashes, device information, and email and chat transcripts. In total, 10.88 billion records were exposed. Brazillian, Itallian, and US users were most heavily affected according to the researchers.

Exposed Data

The data found dates back to March 16 of this year. In the data, the researchers found 11 million email addresses and 26 million password hashes for accounts and website systems. Some hundred entries in the database included name, credit card type, and payment amounts. Cyber criminals could use this for identity theft. Once the researchers found the data, they immediately contacted Granity Entertainment, CAM4’s parent company. They took the server offline within half an hour. So the data is no longer accessible.

Diachenko, who is one of the researchers, said that “[y]ou really have to dig into the logs to find tokens or anything that would connect you to the real person or anything that would reveal his or her identity.” He added that the data “should not have been exposed online, of course, but I would say that it’s not the scariest thing I’ve seen.” Even though the exposed data contained very sensitive information, it was not that easy to match the data with a specific person.

Potential Consequences

So far, there is no indication that anyone with malicious intent has gained access to the data. But criminals could definitely use this intel for wrongdoing. Identity theft is one of the main worries, mainly for the entries that included more than one piece of information about an individual. But the information can also be used to blackmail people. Hackers can use sensitive information to threaten someone with exposing their online behavior to their family, unless they pay a ransom to keep them quiet.

Also, people who don’t use unique passwords for their accounts could help hackers break into their other accounts across the internet. That is why it so important that people use unique passwords for their online accounts. A large amount of the email addresses came from popular domains such as Google, Hotmail, and iCloud. These domains are attached to many other services, such as cloud storage. Hackers could use the exposed information for phising purposes, which could give them access to all this online storage.

Cybersecurity analyst
David is a cyber security analyst and one of the founders of Interested in the "digital identity" phenomenon, with special attention to the right to privacy and protection of personal data.