Users' Passwords Exposed During a Hack of Pornographic Websites

Let's say a moderately popular online game that you play gets hacked. You've used a personal email address that's reserved mostly for junk mail. Alongside it, the hackers steal your home IP address, the nickname you use when you play the game, and they also get their hands on the password as stored by the game developer.

If your network is configured correctly, the hackers can't do much with your IP, and because the developer is a responsible organization that takes security seriously, your password is properly salted and hashed before it's stored meaning that crooks can't recover it. The upshot is, while you will probably see an uptick in the amount of spam that you receive on the leaked email address, you are unlikely to suffer any other consequences.

While plausible, this scenario is made up. The next one, unfortunately, isn't.

Eight adult websites leak more than 1.2 million records

Last week, operator of the HaveIBeenPwned data breach notification service and all-out infosec legend Troy Hunt obtained a 98MB file that contained 1.2 million records. Upon further investigation, he found out that the database was shared by eight separate adult websites – wifelovers[.]com, wifeposter[.]com, asiansex4u[.]com, indiansex4u[.]com, bbwsex4u[.]com, nudemen[.]com, nudelatins[.]com, nudeafrica[.]com. The data dump consists of names, usernames, email and IP addresses, as well as hashed passwords.

These are not just any run-of-the-mill porn websites. Some of them apparently serve as platforms where users publish intimate photos of their spouses. There's no telling whether the said spouses agreed to have their pictures shared with the world, meaning that they could be quite upset if they find out what has happened.

Having your data exposed by an adult website is always embarrassing, but it doesn't necessarily ruin your marriage. In this case, it may very well do that. Unfortunately, that's not the only bad news.

Woefully bad password storage

Wifelovers[.]com, the main website that fell victim to the attack was launched more than twenty years ago, but even by the standards of the day, it wasn't doing a great job of protecting users' passwords. Nothing changed over the next two decades. The passwords were hashed with an algorithm known as Descrypt. Descrypt is based on the old Data Encryption Standard, and it was created in 1979. Even in 1997, it was considered a bad idea to protect passwords with that ancient algorithm. Descrypt is indeed slightly better than MD5, and it does salt the passwords automatically. The salt is way too small, however, and users aren't allowed to create a password that's longer than eight characters. As a result, modern hardware can recover passwords hashed with Descrypt in mere seconds.

Because of this, after they were informed about the leak (not without the help of Ars Technica), the owners of the attacked websites took their services offline and posted a breach notification, urging all users to change their password if they have used it anywhere else.

You can see how different data breaches can have different consequences. What happened to Wifelovers' members is just about as bad as it gets, and it does show that you can never be sure where and when your data is going to get leaked.