This is a reminder for all Internet users: We must be careful with the sites where we enter our personal data for user registration purposes. Information security experts report that Luscious, a website to share adult-only content, has become a data breach victim, compromising the personal data of more than one billion users.
Compromised data include personal details such
as usernames, email addresses, gender, activity history on the site, location
data, and, in some cases, users’ full names.
Information security specialists at vpnMentor
firm detected the incident, allegedly occurred last weekend and corrected this
Monday. It has been reported that about 20% of Luscious’ users registered with
fake or temporary email addresses; on the other hand, it is estimated that
almost one million people registered on the website using a legitimate and
currently used email account.
Another disturbing finding is that there are
few users who registered on the website using their corporate or governmental email
accounts, conduct primarily conducted by employees in Australia, Brazil, Italy
and some Asian countries. “This is a security risk not only for employees,
but also for private companies and public bodies,” the vpnMentor experts
said. “In case of access to employee email accounts, a hacker could
perform other severe intrusions,” the experts assure.
According to the report, those affected are
inhabitants of countries such as Russia, Germany, Canada, Poland, in addition
to those mentioned above. Leaked information includes videos uploaded to the
site, user ID, site contacts, and personal profile posts.
Posts in profiles contain particularly sensitive information, as many users use this option to write texts of very personal content and that reflects moods, customs and other personality traits of users, so specialists fear that this information could be used against the data breach victims.
Information security experts believe that
access to so many details about the personal lives of those affected by the
data breach gives threat actors great resources to carry phishing campaigns,
identity fraud, extortions, between other malicious activities. “Those
affected by this incident are vulnerable to what we know as ‘sextortion‘,
which could lead to considerable economic losses and moral damage to
victims,” they add.
This point of view is shared by information
security specialists at the International Institute of Cyber Security (IICS),
who believe that the conditions are given for hackers to take advantage of
knowing email addresses, names and location users’ data. “This information
can be used to craft legitimate-looking emails in order to deceive users, as
well as expose them to mass spam sending, invasive marketing campaigns, among
other possible scenarios”.
Site controllers have advised all users to
reset their passwords and modify their records on the website, including their
email and username. Perhaps the main lesson to be learned from this incident is
that we should not use our real name and personal email account to access these
kinds of platforms, as the risk of exposing our personal details is always