October 10, 2019

Sex industry forum suffers data breach (and professionals could get caught with their pants down)

By Luke Christou

A Dutch website where users share reviews, experiences and tips on the sex industry has been compromised by hackers, exposing the details of its 250,000 users that had signed up to use the forum and leaving them vulnerable to exploitation.

Data taken from Hookers.nl includes email addresses, usernames, IP addresses and encrypted passwords.

The hacker behind the breach is reportedly demanding $300 for the haul according to Dutch broadcaster NOS, which first reported on the breach.

The breach was a result of the technical weakness that was discovered in forum software vBulletin a few weeks ago. The same vulnerability was used to cybersecurity giant Comodo earlier this month. The Hookers.nl breach occurred before a patch was applied that removed the vulnerability.

The company behind Hookers.nl, adult-focused internet company Midhold, has acknowledged that the breach occurred and has added functionality to allow users to quickly remove their accounts.

Hookers.nl data breach leaves users vulnerable to exploitation

With 250,000 accounts compromised, this is small in comparison to the 100 million customers affected by the Capital One breach. Likewise, no financial information was stolen, as it was in the British Airways breach.

However, the nature of the company breached means it could prove to be equally, if not more damaging. The forum is frequented by those that both work in the sex industry, as well as clients of sex workers.

“Compared to some notorious breaches that have occurred in the last 12 months involving billions of compromised records, this data breach may seem comparatively insignificant,” Ilia Kolochenko, CEO of cybersecurity company ImmuniWeb, said. “However, in terms of reputational damage it’s apt to inflict upon the victims, the impact may be unprecedentedly disastrous.”

This breach echoes the Ashley Madison data breach in 2015. Users of the site – aimed at married individuals looking to cheat on their partners – saw their data compromised and leaked on the dark web. Numerous suicides, thought to be connected, were reported in the wake of the breach.

“This time, the harm may be even more voluminous, diverse and long-lasting,” Kolochenko said.

“Sadly, many victims will likely be reluctant to file a lawsuit or criminal complaint being embarrassed by the nature of the incident.”

Business professionals could be cybercriminals’ top targets

It is highly likely that Hooker.nl users will be targeted by cybercriminals hoping to capitalise on any fear and embarrassment.

While real names haven’t been compromised in the breach, NOS said that some of the data it viewed contained real names in the email addresses used to open an account. This means that, in some cases, account owners could potentially be identified from the data leaked.

According to Kolochenko, blackmail attempts are likely to be made against victims and their families, offering to remove their details for a fee.

Sextortion scams like this are common. Cybercriminals often claim to have recorded victims browsing adult content and threaten to send the recording to their friends and family unless a payment, usually in Bitcoin, is made.

However, more professional cybercriminals could use the compromised data to extort bigger rewards from victims.

“Professional cyber mercenaries may deploy smarter tactics, for example, asking employees of large organisations and IT vendors to share confidential data or access codes menacing to expose their secrets to management and colleagues,” Kolochenko explained.

However, those approached by extortionists shouldn’t hand over any money or information, but instead report the incident to the relevant authorities.

“In many jurisdictions, victims cannot be fired or reprimanded for their personal life that does not involve their employer,” Kolochenko said.

Read more: Latest sextortion scam speaks your language to steal thousands in Bitcoin