The notorious LulzSec hacking group has published login passwords for almost 26,000 users of an x-rated porn website.
The hackers compromised the database of the hardcore website (called “Pron”), exposing not only the email addresses and passwords of over 25,000 members but also the credentials of 55 administrators of other adult websites.
Furthermore, LulzSec drew particular attention to various government and military email addresses (.mil and .gov) that appeared to have accounts with the porn website.
That must be an embarrassing one to explain to the boss..
To add insult to injury, the LulzSec group called on its many recent Twitter followers to exploit the situation, by logging into Facebook with the email/password combinations and tell the victim’s Facebook friends and family about their porn habit.
It should go without saying that logging into someone else’s account without their permission is against the law in most countries around the world.
Fortunately, it’s reported that Facebook’s security team responded quickly to the threat – and reset the passwords for all of the accounts it had which matched the email addresses exposed. Of course, it’s still possible that those email address/password combinations are being used on other websites.
If anything should be a reminder to internet users of the importance of using different passwords for different websites, this should be it.
The danger is that once one password has been compromised, it’s only a matter of time before the fraudsters will be able to gain access to your other accounts and steal information for financial gain or, in this case, potential embarrassment.
If you believe there might be a chance that your username/password were exposed, or if you’re simply in the habit of using the same password for multiple websites – now is the time to change your habits.
Here’s a YouTube video showing you how to choose a hard-to-crack, unique password:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
26 comments on “26,000 sex website passwords exposed by LulzSec”
This is yet another wormhole which is parodied by hackers and thus a stern warning for those too narrow-minded to create additional passwords…still, I did slightly laugh at the hilarity of this article (it seems wrong, but this is purely adolescence kicking in).
Hillarious.. especially those .gov & .mil addresses.. I would think that usa gov would do an effort to create awareness.. obviously that failed for those particular users.. 😉
There are two kinds of people in the world: those who look at porn and say so and liars. These CRACKERS and SCRIPT KIDDIES couldn’t use this for the blackmail portion of this exploit if people stopped looking at what consenting adults do in private as something they should be ashamed of. Take out the blackmail portion and this is no different that the Sony breakins.
There's one more kind: people who rationalize what they do by claiming that everyone does it.
And still another: Those who put down other's interests in a feeble attempt to make themselves feel better about themselves.
No. There are three kinds of people.
The two you mentioned, and the ones that don’t really watch something stupid as the so-called “porn”.
What was LulzSec's point for drawing attention to .gov and .mil. It really wasn't clear from the article. Also, you put an extra period at the end of that sentence.
Maybe that these people are using government resources ie. our tax dollars, for personal pursuit. I am sure ther are strict regulations about using these accounts for personal and not business use. No to mention I have to wonder how many of them were enjoying these sites during business hours, when they are supposed to be serving the country. It seems something else is getting served and we are paying for it.
Graham is the bomb
While I support the idea of people using strong passwords, no password will protect you if the site database you entered your info is cracked and your password is freely published to the Web.
I also don't really understand what Lulzsec's point is anymore. If they're trying to educate the public about the dangers of supplying personal information to sites that utilize poor security, they've chosen a backasswards way of doing it.
Their point is LULZ. The hint is in the name ….
Point? It's for the Lulz! The only reason anyone does anything.
There were three points to this release:
1.) Some websites store your password in the clear.
2.) Use a different password for different websites (and your email) so that if one website is compromised, you limit exposure to that one website.
3.) Government and military personnel are using official email for non-official purposes, which is both an abuse and a security risk.
Any serious web site should store passwords only with encryption, SHA-2 at least. Storing passwords in the clear is simply unacceptable.
Hashes, not encryption. Two slightly different things, but implications are enormous.
You can't get the original password using hashes. SHA is a hash function.
Encryption requires the key to be located somewhere on the server, so it's not a good idea.
Jack,_I think you may have confused LulzSec with a different group. They aren't claiming to be trying to achieve anything beyond spreading "fun, fun, fun, throughout the entire calender year.__If this does educate the public about cyber security it would be more by accident than design.
They do it for the lulz.
There's a joke in there somewhere about this hack being featured on nakedsecurity 🙂
They should have added "Pun intended". For the slow-brained 😀
Those would actually come in handy 😉
Personally I'd support the seals or any other elite group target LulzSec and give them the bin laden treatment regardless what country they are in!
I guess Matt just assumes that his freedom to call for the murder of the members of LulzSec is a given.
Maybe he would love to live in a nation where he gets arrested for his posts.
Gotta love the irony of a group committing a felony moralizing about someone else's lack of morals, then encouraging others to commit similar felonies.
Jack asked what the point of LulzSec was anymore. There is no point. There never was. I do agree with anonymous though. It is in the name…
LULZ – Losers United Lacking Zyprexa
Get a job, move out of mommy's basement and contribute something useful to society. If the only way you can feel good about yourself (or have a LULZ) is to tear down something that someone else has built then you have serious issues. The good news is… they make medication for that. Try some!!!
Flame away skiddies…
Hack the planet!
Or at least teach people to not be so stupid.
It's as simple and straightforward as this:
Hacking a site to "reveal" security issues is the same as breaking into your neighbours home because he doesn't have armour plating over his windows and doors.
People choose ridiculous passwords, this is true and will continue to do so until someone invents a better way. As soon as new technology comes out to replace passwords, these guys will be busy busy trying to break it too.
Armchair Vandals, nothing more!