Sophos Cloud Optix
Want a free password for one of the world’s most popular adult websites?
YouPorn, one of the world’s most popular porn video websites and one of the top 100 websites of any kind in the world, appears to have been caught with its pants down – after a list of many of its users’ email addresses, passwords and dates of birth were left exposed on a public-facing server.
According to security blogger Anders Nilsson, the credentials of well over a million YouPorn users were publicly accessible.
Unlike the recent Brazzers porn site hack, however, sloppy practices are being blamed for the YouPorn incident, with debug data about users seemingly being stored in a public fashion since 2007.
Hackers have been sifting through the information, and in some cases republishing it elsewhere online. So even though YouPorn appears to have now shut down the offending server – its users remain exposed.
This is one of those cases where it’s not just bad to have your password exposed – it’s actually potentially worse to have your email address connected with this breach too.
You can imagine how employers and marital partners may be less than impressed to find you are registered for a website like YouPorn. And their discovery of your porn penchant is only a search and a click away.
But more than the embarrassment factor, there’s also a security issue here. We know that many internet users adopt the same password for multiple sites.
So, if your YouPorn password is now known, hackers might try that same password against your email address, your PayPal account, your Amazon account, and all many of other online resources.
If you are still using the same password on multiple sites, please change your dirty habit now.
Of course, some Twitter users couldn’t resist making a gag as the news of the data leak broke:
https://twitter.com/hairiermanager/status/172339206255943680@gcluley I'm so glad that I've never registered with @YouPorn, so no one will ever discover my shameful secret.
— Mal Franks (@MerseyMal) February 22, 2012
But it’s unlikely that the victims of this data breach will be finding things so amusing.
At the time of writing, there is no mention of the apparent data loss on YouPorn’s official blog (no, we’re not linking to it) or Twitter account.
Hat-tip: Thanks to Anders Nilsson for providing more information about this incident.
Damn, I'm there again
Naked Security posting about the exposure of email addresses and passwords of a porn site…I love it.
Maybe there will end up being some job openings for people who actually want to WORK rather than surf porn sites on the job because of this. Not to mention that some porn addicts might decide to get help when their spouses find out what they've been up to.
Yeah, because everybody that watches porn sometimes does it in a addicted fashion on work hours…
Watching porn shouldn't be a shame. That's a very dumb "employer".
They should use OpenID with Facebook, Twitter, and Google so you can share with your friends too… Frictionless sharing
FWIW, YouPorn and Brazzers (also recently hacked) are owned and operated by parent company Manwin.
Manwin also runs PornHub, Xtube and Playboy.com, so concerned users of those websites may want to rethink their password security protocols.
How did a post about porn sites being hacked turn into a discussion about work? @Surfing – pron and your lack of a job have nothing to do with each other.
Official YouPorn statement (SFW): http://blog.youporn.com/youporn-data-not-exposed/
Are those real? The screen shot shows 9 paswords, and there are 6 duplicates in that list. Really? 9 random logins have that many duplicate passwords?
google for
inurl:pastebin.com "@hotmail.com::tango"
i don't understand that the passwords are blanked out while enough informations are provided that you can just copy some information from the image to google to find it.
It's amazing the passwds were stored as plain text at all. Unix had the password-security problem solved about 40 years ago. One-way hash, as I don't need to tell anyone here. I'd've thought that whatever software they're using would have that by default.
Who writes software that *doesn't* hash passwords? Who has the technical capability to set up a website with a password system, but isn't smart enough to use hashing? Evidently a lot of half-qualified idiots in the IT business these days.
First, change your password. Second, it's pictures of normal bodily functions. If you have a spouse, you're probably doing some of them _with_ your spouse. Heck, I'm a guy and my girlfriend introduced me to youporn. She's not overtly sexual, so you wouldn't guess it by looking at her. You might guess it, if you consider looking at porn on the interwebs to be one of those things consenting adults are normally allowed to do.
Not everyone advertises their sexuality, and people have a right to their own sexual habits as long as they don't hurt anyone.
Somebody needs to develop an app to cross-reference any politicians currently running for office with the leaked data.
I've run some sorting and filtering over it:
All in all we have 6433 leaked logins with 4064 unique passwords and 526 mail domains in use.
http://isithackday.com/youpornusers.php
Sure am glad I used the phony user name Graham Cluley. This could have been embarrassing.
Graham, why do you call your site "nakedsecurity"? Is it in the desperate hope that people will stumble across it when searching for something else?
It's a counter-productive name in my opinion. When I recommend your security service to potential clients (for you), I always feel they are less likely to use Sophos when they discover you have a name like that.
Sorry you don't like the name – I think we're stuck with it now.
If you have any clients who are disturbed by it, you might want to remind them of Jamie Oliver ("The Naked Chef"), William S. Burroughs (author of "The Naked Lunch") and that "naked" can mean much more than "has forgotten to put their clothes on this morning".
For instance, it can mean "expressed openly" or "undisguised" or "without varnish". Which is what I hope this site is.
Again, apologies if it causes you difficulties – but hopefully once your clients reach the site they'll find it an interesting read.
As in "Naked truth"
Official YouPorn Statement & Clarification of Facts is online at http://blog.youporn.com/youporn-data-not-exposed/
There are more than 'thousands'. See http://dazzlepod.com/youporn/ (even this is not fully loaded yet). Obviously, some of the emails are not legit but many are! The repeated emails are shown in the list as they used different passwords.
Looking at porn on the interwebs is one of those things consenting adults are normally allowed to do, or not!
It's the best only for the reason I would say is because viewers get to view it for free.
I recently got scammed too by a secret shopper service, stating to be through Walmart. I’ve already reported the incident to local law and the FTC, now the scammer is threaten ting to press charges on me for harrassment! My bank is demanding the money, even though they did not follow through on protocol, to place a hold on the check! All I want is my money back. I’m only 19, I don’t have two grand just laying around.