The database behind Wife Lovers – a site dedicated to posting nudes and erotica about wives – has been breached, exposing a total of over 1.2 million unique email addresses.
Wife Lovers was one of eight adult websites that relied on the database, putting at risk the intimate messages of the users and photos that they said were of their wives – some of whom may not have a clue that their photos were being posted in the first place.
The other sites:
The owner of Wife Lovers and the other seven sites, whom Ars Technica identified as Robert Angelini, said on his Wife Lovers site that he’d been notified – by a source “we feel is credible” – that an unnamed security researcher got access to the sites’ message boards and had downloaded registrants’ personal data.
The breached information includes:
- Email addresses
- Posting IDs
- Encrypted passwords
- IP address used to register on the sites
Angelini told Ars on Saturday morning that, in the 21 years they operated, fewer than 107,000 people posted to the eight adult sites. Yet the 98MB database he received on Friday was mysteriously plump: it had 12 times as many email addresses as the total number of users who’ve posted to the sites, Angelini told Ars. It’s not clear if all the email addresses belong to legitimate users.
Angelini confirmed the breach on Saturday morning and took down the sites. He also put up a notice on the shuttered sites, warning users to change their passwords elsewhere, particularly if they’ve reused passwords on multiple sites:
When you post on the message board your email address and posting ID is already shown in your post. Thus, if someone is able to “crack the code” of the encrypted posting password they might be able to log into other websites that you use the same password associated with that posting ID or email address on our website.
As far as cracking the code goes, it was done pretty much instantaneously. The encryption used on the passwords is worthless: as Ars Technica’s Dan Goodin describes, it’s a four-decades old, weak hashing scheme that took password-cracking expert Jens Steube only seven minutes to recognize and to then decipher a given hash.
@troyhunt 13 chars base64 usually descrypt (-m 1500 in hashcat) VTB3d1ZQYv.7o:ecotone—
(@hashcat) October 18, 2018
The hash function is known as DEScrypt. Created in 1979, it’s based on the old Data Encryption Standard (DES): an algorithm that the National Security Agency (NSA) did two things to after IBM submitted it as a standard: 1) tweaked the algorithm to close a backdoor it secretly, allegedly knew about, and 2) cut the key size in half, making it too small to fend off brute-force attack.
Jeremi M. Gosney, a password security expert and CEO of password-cracking firm Terahas, had this to say about it to Ars:
The algorithm is quite literally ancient by modern standards, designed 40 years ago, and fully deprecated 20 years ago. It is salted, but the salt space is very small, so there will be thousands of hashes that share the same salt, which means you’re not getting the full benefit from salting.
Angelini, meanwhile, is mulling the possibility that a family member with a grudge is behind the breach. From an email he sent to Ars:
She is pretty computer savvy, and last year I required a restraining order against her. I wonder if this was the same person [who hacked the sites].
Perhaps another good question to ask: who’s responsible for still using dusty, fusty hashing that’s as fresh as 40-year-old fish?
Goodin notes that the sites’ users were allowed to publicly link their accounts to one email address while associating a different, private email address to their accounts. That could lead to disclosure of not only users’ profile IDs, but their identities:
A Web search of some of these private email addresses quickly returned accounts on Instagram, Amazon, and other big sites that gave the users’ first and last names, geographic location, and information about hobbies, family members, and other personal details. The name one user gave wasn’t his real name, but it did match usernames he used publicly on a half-dozen other sites.
Troy Hunt, who runs the Have I Been Pwned site, has listed the breach. Given the sensitive nature of the exposure, though, he’s marked the records as being sensitive, meaning that he won’t make exposed email addresses available for search per his usual practice.
That’s the same way Hunt treated Ashley Madison: a breach that led to extortion threats and multiple associated suicides.
This incident is a huge privacy violation, and it could be devastating for people like [one of the names in the exposed database] if he’s outed (or, I assume, if his wife finds out).