26,000 sex website passwords exposed by LulzSec

Filed Under: Data loss, Facebook, Privacy, Social networks

Red light districtThe notorious LulzSec hacking group has published login passwords for almost 26,000 users of an x-rated porn website.

The hackers compromised the database of the hardcore website (called "Pron"), exposing not only the email addresses and passwords of over 25,000 members but also the credentials of 55 administrators of other adult websites.

Furthermore, LulzSec drew particular attention to various government and military email addresses (.mil and .gov) that appeared to have accounts with the porn website.

That must be an embarrassing one to explain to the boss..

To add insult to injury, the LulzSec group called on its many recent Twitter followers to exploit the situation, by logging into Facebook with the email/password combinations and tell the victim's Facebook friends and family about their porn habit.

Porn passwords

It should go without saying that logging into someone else's account without their permission is against the law in most countries around the world.

Fortunately, it's reported that Facebook's security team responded quickly to the threat - and reset the passwords for all of the accounts it had which matched the email addresses exposed. Of course, it's still possible that those email address/password combinations are being used on other websites.

If anything should be a reminder to internet users of the importance of using different passwords for different websites, this should be it.

The danger is that once one password has been compromised, it's only a matter of time before the fraudsters will be able to gain access to your other accounts and steal information for financial gain or, in this case, potential embarrassment.

If you believe there might be a chance that your username/password were exposed, or if you're simply in the habit of using the same password for multiple websites - now is the time to change your habits.

Here's a YouTube video showing you how to choose a hard-to-crack, unique password:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

, , , , ,

You might like

25 Responses to 26,000 sex website passwords exposed by LulzSec

  1. WippyM · 1231 days ago

    This is yet another wormhole which is parodied by hackers and thus a stern warning for those too narrow-minded to create additional passwords...still, I did slightly laugh at the hilarity of this article (it seems wrong, but this is purely adolescence kicking in).

  2. Arno · 1231 days ago

    Hillarious.. especially those .gov & .mil addresses.. I would think that usa gov would do an effort to create awareness.. obviously that failed for those particular users.. ;-)

  3. spookie · 1231 days ago

    There are two kinds of people in the world: those who look at porn and say so and liars. These CRACKERS and SCRIPT KIDDIES couldn't use this for the blackmail portion of this exploit if people stopped looking at what consenting adults do in private as something they should be ashamed of. Take out the blackmail portion and this is no different that the Sony breakins.

    • Eddie · 1231 days ago

      There's one more kind: people who rationalize what they do by claiming that everyone does it.

      • nobody · 1230 days ago

        And still another: Those who put down other's interests in a feeble attempt to make themselves feel better about themselves.

  4. What was LulzSec's point for drawing attention to .gov and .mil. It really wasn't clear from the article. Also, you put an extra period at the end of that sentence.

    • onlylogical · 1230 days ago

      Maybe that these people are using government resources ie. our tax dollars, for personal pursuit. I am sure ther are strict regulations about using these accounts for personal and not business use. No to mention I have to wonder how many of them were enjoying these sites during business hours, when they are supposed to be serving the country. It seems something else is getting served and we are paying for it.

  5. Graham is the bomb

  6. jack · 1231 days ago

    While I support the idea of people using strong passwords, no password will protect you if the site database you entered your info is cracked and your password is freely published to the Web.

    I also don't really understand what Lulzsec's point is anymore. If they're trying to educate the public about the dangers of supplying personal information to sites that utilize poor security, they've chosen a backasswards way of doing it.

    • anonymous · 1230 days ago

      Their point is LULZ. The hint is in the name ....

    • Lulzorz · 1230 days ago

      Point? It's for the Lulz! The only reason anyone does anything.

    • jill · 1230 days ago

      There were three points to this release:
      1.) Some websites store your password in the clear.
      2.) Use a different password for different websites (and your email) so that if one website is compromised, you limit exposure to that one website.
      3.) Government and military personnel are using official email for non-official purposes, which is both an abuse and a security risk.

    • Pro Libertate · 1230 days ago

      Any serious web site should store passwords only with encryption, SHA-2 at least. Storing passwords in the clear is simply unacceptable.

      • Someone_asdf · 1230 days ago

        Hashes, not encryption. Two slightly different things, but implications are enormous.

        You can't get the original password using hashes. SHA is a hash function.

        Encryption requires the key to be located somewhere on the server, so it's not a good idea.

  7. Jack,_I think you may have confused LulzSec with a different group. They aren't claiming to be trying to achieve anything beyond spreading "fun, fun, fun, throughout the entire calender year.__If this does educate the public about cyber security it would be more by accident than design.

  8. RoboBot · 1230 days ago

    They do it for the lulz.

  9. Ted · 1230 days ago

    There's a joke in there somewhere about this hack being featured on nakedsecurity :)

    • Pro Libertate · 1230 days ago

      They should have added "Pun intended". For the slow-brained :D

  10. Lou · 1230 days ago

    Those would actually come in handy ;)

  11. Matt · 1230 days ago

    Personally I'd support the seals or any other elite group target LulzSec and give them the bin laden treatment regardless what country they are in!

    • Guest · 1229 days ago

      I guess Matt just assumes that his freedom to call for the murder of the members of LulzSec is a given.

      Maybe he would love to live in a nation where he gets arrested for his posts.

  12. Gotta love the irony of a group committing a felony moralizing about someone else's lack of morals, then encouraging others to commit similar felonies.

  13. Guest · 1228 days ago

    Jack asked what the point of LulzSec was anymore. There is no point. There never was. I do agree with anonymous though. It is in the name...

    LULZ - Losers United Lacking Zyprexa

    Get a job, move out of mommy's basement and contribute something useful to society. If the only way you can feel good about yourself (or have a LULZ) is to tear down something that someone else has built then you have serious issues. The good news is... they make medication for that. Try some!!!

    Flame away skiddies...

    :(

  14. Nhoj · 1228 days ago

    Hack the planet!
    Or at least teach people to not be so stupid.

  15. It's as simple and straightforward as this:
    Hacking a site to "reveal" security issues is the same as breaking into your neighbours home because he doesn't have armour plating over his windows and doors.
    People choose ridiculous passwords, this is true and will continue to do so until someone invents a better way. As soon as new technology comes out to replace passwords, these guys will be busy busy trying to break it too.
    Armchair Vandals, nothing more!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.