Luscious.net Security Hole Exposes 1 Million+ Users’ Data
A systemic hole exposing over one million Luscious.net users’ data was discovered by vpnMentor earlier this month.
The site is known for “serving up your daily dose of free hentai pictures, hentai, doujinshi, hentai manga, sexy girls, porn and everything else xxx-related.” Typically, private profiles allow users to upload, share, comment on and discuss content, with identities masked behind usernames. Led by Noam Rotem and Ran Locar, vpnMentor discovered that a weakness in the system and data breach compromised this anonymity by potentially allowing hackers to access the personal details of users, including their personal email address.
The exposed data included usernames, gender, email addresses, activity logs and country of residence/location information for all site 1.195 million Luscious.net users. The available data gave a complete overview of user activities including the number of image albums they had created, video uploads, comments, blog posts, favorites, followers and accounts followed. vpnMentor also reported that many users joined Luscious.net on official government emails. They found examples of this from users in Brazil, Australia, Italy, Malaysia and Australia.
The vpnMentor team discovered the breach as part of a wider larger web mapping project on August 15 and reported it the following day.
According to Mashable.com, vpnMentor is not saying the data was stolen by a malicious actor — just that it was wide open for the taking. That doesn’t mean it wasn’t taken or stolen though. They surmised that, if Luscious.net users happened to use email addresses associated with their real names to register accounts, that information — tied to location data — could be more than enough to associate specific accounts with their owners. If someone wanted to.
Experts report that this data exposure could have easily been avoided if Luscious.net had taken some basic security measures including secure servers and implementation of proper access rules. For users, they immediately changing account details, including your username and associated email address.
Further for adult-themed websites (or any other websites of a sensitive nature), they suggest users always create a username completely unrelated to personal email addresses or any other online account. This seems obvious, however, in a world where the website itself is leaving your info wide open, “obvious” must really be replaced with “mandatory.”