This is a reminder for all Internet users: We must be careful with the sites where we enter our personal data for user registration purposes. Information security experts report that Luscious, a website to share adult-only content, has become a data breach victim, compromising the personal data of more than one billion users.
Compromised data include personal details such as usernames, email addresses, gender, activity history on the site, location data, and, in some cases, users’ full names.
Information security specialists at vpnMentor firm detected the incident, allegedly occurred last weekend and corrected this Monday. It has been reported that about 20% of Luscious’ users registered with fake or temporary email addresses; on the other hand, it is estimated that almost one million people registered on the website using a legitimate and currently used email account.
Another disturbing finding is that there are few users who registered on the website using their corporate or governmental email accounts, conduct primarily conducted by employees in Australia, Brazil, Italy and some Asian countries. “This is a security risk not only for employees, but also for private companies and public bodies,” the vpnMentor experts said. “In case of access to employee email accounts, a hacker could perform other severe intrusions,” the experts assure.
According to the report, those affected are inhabitants of countries such as Russia, Germany, Canada, Poland, in addition to those mentioned above. Leaked information includes videos uploaded to the site, user ID, site contacts, and personal profile posts.
Posts in profiles contain particularly sensitive information, as many users use this option to write texts of very personal content and that reflects moods, customs and other personality traits of users, so specialists fear that this information could be used against the data breach victims.
Information security experts believe that access to so many details about the personal lives of those affected by the data breach gives threat actors great resources to carry phishing campaigns, identity fraud, extortions, between other malicious activities. “Those affected by this incident are vulnerable to what we know as ‘sextortion‘, which could lead to considerable economic losses and moral damage to victims,” they add.
This point of view is shared by information security specialists at the International Institute of Cyber Security (IICS), who believe that the conditions are given for hackers to take advantage of knowing email addresses, names and location users’ data. “This information can be used to craft legitimate-looking emails in order to deceive users, as well as expose them to mass spam sending, invasive marketing campaigns, among other possible scenarios”.
Site controllers have advised all users to reset their passwords and modify their records on the website, including their email and username. Perhaps the main lesson to be learned from this incident is that we should not use our real name and personal email account to access these kinds of platforms, as the risk of exposing our personal details is always latent.