The database underlying an erotica site known as Wife Lovers has been hacked, making off with user information protected only by a simple-to-crack, outdated hashing technique known as the DEScrypt algorithm.
Over the weekend, it came to light that Wife Lovers and seven sister sites, all similarly targeted to a specific adult interest (asiansex4u[.]com; bbwsex4u[.]com; indiansex4u[.]com; nudeafrica[.]com; nudelatins[.]com; nudemen[.]com; and wifeposter[.]com) were compromised thanks to an attack on the 98-MB database that underpins them. Between the eight different adult websites, there were more than 1.2 million unique email addresses in the trove.
“Wife Lovers acknowledged the breach, which impacted names, usernames, email and IP addresses and passwords,” explained independent researcher Troy Hunt, who verified the incident and uploaded it to HaveIBeenPwned, with the information marked as “sensitive” due to the nature of the data.
The site, as its name suggests, was dedicated to posting intimate adult photos of a personal nature. It’s unclear if the photos were intended to represent users’ spouses or the wives of others, or what the consent situation was. But that’s a bit of a moot point given that it’s been taken offline for now in the aftermath of the hack. Nonetheless, the information thieves made off with enough data to make follow-on attacks a likely scenario (such as blackmail and extortion attempts, or phishing expeditions) – something seen in the wake of the 2015 Ashley Madison attack that exposed 36 million users of the dating site for cheaters.
Worryingly, Ars Technica did a web search of some of the private email addresses associated with the profiles, and “quickly returned accounts on Instagram, Amazon and other big sites that gave the users’ first and last names, geographic location, and information about hobbies, family members and other personal details.”
Wife Lovers said in a website notice that the attack started when an “unnamed security researcher” was able to exploit a vulnerability to download message-board registration information, including email addresses, usernames, passwords and the IP address used when someone registered. The so-called researcher then sent a copy of the full database to the site’s owner, Robert Angelini.
“This person reported that they were able to exploit a script we use,” Angelini noted in the website notice. “This person told us that they were not going to publish the information, but did it to identify websites with this type if security issue. If this is true, we have to assume others might have also gotten this information with not-so-honest intentions.”
It’s worth mentioning that previous hacking groups have claimed to lift information in the name of “security research,” including W0rm, which made headlines after hacking CNET, the Wall Street Journal and VICE. w0rm told CNET that its goals were altruistic, and done in the name of raising awareness for internet security – while also offering the stolen data from each company for 1 Bitcoin.
Angelini also told Ars Technica that the database had been built up over a period of 21 years; between current and former sign-ups, there were 1.2 million individual accounts. In an odd twist however, he also said that only 107,000 people had ever posted to the eight adult sites. This could mean that most of the accounts were “lurkers” checking out profiles without posting anything themselves; or, that many of the emails are not legitimate – it’s unclear. Threatpost reached out to Hunt for more information, and we will update this posting with any response.
Meanwhile, the encryption used for the passwords, DEScrypt, is so weak as to be meaningless, according to hashing experts. Created in the 1970s, it’s an IBM-led standard that the National Security Agency (NSA) adopted. According to researchers, it was tweaked by the NSA to actually remove a backdoor they secretly knew about; but, “the NSA also ensured that the key size was drastically reduced such that they could break it by brute-force attack.”
Which is why it took password-cracking “Hashcat”, a.k.a. Jens Steube, a measly seven minutes to decipher it when Hunt was looking for information via Twitter on the cryptography.
13 chars base64 usually descrypt (-m 1500 in hashcat)
In warning his clientele of the incident via the website notice, Angelini reassured them that the breach didn’t go deeper than the free areas of the sites:
“As you know, our websites keep separate systems of those that post on the message board and those that have become paid members of this website. They are two completely separate and different systems. The paid members information is NOT suspect and is not stored or managed by us but rather the credit card processing company that processes the transactions. Our website never has had this information about paid members. So we believe at this time paid member customers were NOT affected or compromised.”
In any event, the incident points out once again that any site – even those flying under the mainstream radar – is at risk for attack. And, using up-to-date security measures and hashing techniques is a critical first-line of defense.