YouPorn passwords available for download, thousands of users exposed

Filed Under: Data loss, Featured, Privacy, Vulnerability

YouPornWant a free password for one of the world's most popular adult websites?

YouPorn, one of the world's most popular porn video websites and one of the top 100 websites of any kind in the world, appears to have been caught with its pants down - after a list of many of its users' email addresses, passwords and dates of birth were left exposed on a public-facing server.

According to security blogger Anders Nilsson, the credentials of well over a million YouPorn users were publicly accessible.

Unlike the recent Brazzers porn site hack, however, sloppy practices are being blamed for the YouPorn incident, with debug data about users seemingly being stored in a public fashion since 2007.

YouPorn user data

Hackers have been sifting through the information, and in some cases republishing it elsewhere online. So even though YouPorn appears to have now shut down the offending server - its users remain exposed.

YouPorn passwords

This is one of those cases where it's not just bad to have your password exposed - it's actually potentially worse to have your email address connected with this breach too.

You can imagine how employers and marital partners may be less than impressed to find you are registered for a website like YouPorn. And their discovery of your porn penchant is only a search and a click away.

But more than the embarrassment factor, there's also a security issue here. We know that many internet users adopt the same password for multiple sites.

So, if your YouPorn password is now known, hackers might try that same password against your email address, your PayPal account, your Amazon account, and all many of other online resources.

If you are still using the same password on multiple sites, please change your dirty habit now.

Of course, some Twitter users couldn't resist making a gag as the news of the data leak broke:

But it's unlikely that the victims of this data breach will be finding things so amusing.

At the time of writing, there is no mention of the apparent data loss on YouPorn's official blog (no, we're not linking to it) or Twitter account.

Hat-tip: Thanks to Anders Nilsson for providing more information about this incident.

, , ,

You might like

22 Responses to YouPorn passwords available for download, thousands of users exposed

  1. Axel · 883 days ago

    Damn, I'm there again

  2. Surfing · 883 days ago

    Naked Security posting about the exposure of email addresses and passwords of a porn site...I love it.

    Maybe there will end up being some job openings for people who actually want to WORK rather than surf porn sites on the job because of this. Not to mention that some porn addicts might decide to get help when their spouses find out what they've been up to.

  3. John · 883 days ago

    Yeah, because everybody that watches porn sometimes does it in a addicted fashion on work hours...

  4. anon · 883 days ago

    Watching porn shouldn't be a shame. That's a very dumb "employer".

  5. Dude · 883 days ago

    They should use OpenID with Facebook, Twitter, and Google so you can share with your friends too... Frictionless sharing

  6. Violet Blue · 883 days ago

    FWIW, YouPorn and Brazzers (also recently hacked) are owned and operated by parent company Manwin.

    Manwin also runs PornHub, Xtube and Playboy.com, so concerned users of those websites may want to rethink their password security protocols.

  7. SurfingNeedsAJob · 883 days ago

    How did a post about porn sites being hacked turn into a discussion about work? @Surfing - pron and your lack of a job have nothing to do with each other.

  8. pstatho · 883 days ago

    Official YouPorn statement (SFW): http://blog.youporn.com/youporn-data-not-exposed/

  9. anon2 · 883 days ago

    Are those real? The screen shot shows 9 paswords, and there are 6 duplicates in that list. Really? 9 random logins have that many duplicate passwords?

  10. SomeRandomGuy · 883 days ago

    google for

    inurl:pastebin.com "@hotmail.com::tango"

    i don't understand that the passwords are blanked out while enough informations are provided that you can just copy some information from the image to google to find it.

  11. Greenaum · 882 days ago

    It's amazing the passwds were stored as plain text at all. Unix had the password-security problem solved about 40 years ago. One-way hash, as I don't need to tell anyone here. I'd've thought that whatever software they're using would have that by default.

    Who writes software that *doesn't* hash passwords? Who has the technical capability to set up a website with a password system, but isn't smart enough to use hashing? Evidently a lot of half-qualified idiots in the IT business these days.

  12. peetee · 882 days ago

    First, change your password. Second, it's pictures of normal bodily functions. If you have a spouse, you're probably doing some of them _with_ your spouse. Heck, I'm a guy and my girlfriend introduced me to youporn. She's not overtly sexual, so you wouldn't guess it by looking at her. You might guess it, if you consider looking at porn on the interwebs to be one of those things consenting adults are normally allowed to do.

    Not everyone advertises their sexuality, and people have a right to their own sexual habits as long as they don't hurt anyone.

  13. Eric · 882 days ago

    Somebody needs to develop an app to cross-reference any politicians currently running for office with the leaked data.

  14. I've run some sorting and filtering over it:

    All in all we have 6433 leaked logins with 4064 unique passwords and 526 mail domains in use.
    http://isithackday.com/youpornusers.php

  15. Name Missing · 882 days ago

    Sure am glad I used the phony user name Graham Cluley. This could have been embarrassing.

  16. 4caster · 882 days ago

    Graham, why do you call your site "nakedsecurity"? Is it in the desperate hope that people will stumble across it when searching for something else?
    It's a counter-productive name in my opinion. When I recommend your security service to potential clients (for you), I always feel they are less likely to use Sophos when they discover you have a name like that.

    • Sorry you don't like the name - I think we're stuck with it now.

      If you have any clients who are disturbed by it, you might want to remind them of Jamie Oliver ("The Naked Chef"), William S. Burroughs (author of "The Naked Lunch") and that "naked" can mean much more than "has forgotten to put their clothes on this morning".

      For instance, it can mean "expressed openly" or "undisguised" or "without varnish". Which is what I hope this site is.

      Again, apologies if it causes you difficulties - but hopefully once your clients reach the site they'll find it an interesting read.

    • lanas · 879 days ago

      As in "Naked truth"

  17. Official YouPorn Statement & Clarification of Facts is online at http://blog.youporn.com/youporn-data-not-exposed/

  18. dazzlepod · 882 days ago

    There are more than 'thousands'. See http://dazzlepod.com/youporn/ (even this is not fully loaded yet). Obviously, some of the emails are not legit but many are! The repeated emails are shown in the list as they used different passwords.

  19. DocSink · 873 days ago

    Looking at porn on the interwebs is one of those things consenting adults are normally allowed to do, or not!

  20. IvanaDeValdasco · 810 days ago

    It's the best only for the reason I would say is because viewers get to view it for free.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.