Miami-based BangBros, a well-known adult film studio and platform, has exposed private user information that includes IPs, usernames, locations, feedback messages, and model performance statistics. Cybernews researchers found a large unsecured online database containing 12 million records.
On June 6th, the Cybernews research team discovered an unprotected Elasticsearch cluster containing more than 8GB of sensitive information about BangBros users. The contents and the nature of this data strongly suggest that the database belongs to the company.
Elasticsearch is a capable data storage and search tool for near real-time analytics of large volumes of data. The cluster is formed when the data is distributed across multiple servers or nodes.
The data was first indexed by search engines, where it appeared on June 3rd, 2024. The instance is now closed. However, there’s a risk that malicious actors or other third parties have also accessed and exfiltrated the data.
“If bad actors managed to get their hands on this data, they might trace and link adult content viewers’ habits to specific individuals. Combined with other private information, this could lead to significant privacy issues, cause personal embarrassment, and result in social stigma in places with conservative attitudes,” said Mantas Kasiliauskis, information security researcher at Cybernews.
The sensitive information in the leak includes the following:
- IP addresses
- Usernames
- User agents (device type, OS, browser, version, configuration, etc.)
- Messages (feedbacks)
- Country
- Geolocation (latitude and longitude with four decimal places, meaning a precision of approximately 11 meters (36 feet), which may be derived from IP)
- Model names, genders, descriptions
- Model statistics (upvotes, downvotes, views)
“Although the credentials were not leaked directly, hackers can associate the IP addresses with the identity from other leaks,” Kasiliauskis said.
The largest part of the leak, the “bangbros_straight” file, contains almost 11 million records. The records appear to be from a media or content management system and include various statistics.
The user login information in the log file included 496,542 records. The number of feedbacks tied to IP addresses, usernames, dates and other information was 37,974.
According to researchers, the exposed Elasticsearch instance was likely left unsecured due to an inadvertent configuration error. Cybernews contacted the company, and the issue was fixed. We did not receive any comments at the time of writing.
Founded in 2000, BangBros is an adult entertainment company that produces and distributes pornographic content on a variety of websites featuring different genres and themes of adult material.
How to protect your privacy?
This leak can pose serious privacy and security risks to BangBros users.
Malicious actors can use IP addresses to obtain credentials from other leaks, launch targeted spearphishing attacks and scams, and capitalize on sensitive users’ browsing habits.
“Some nasty forms may include blackmail, harassment, attempts to cause reputational damage or relationship problems, or, in worst cases, discrimination. Knowing the exact location, bad actors can threaten to reveal users’ adult content viewing habits to family, employers, or the public. Therefore it is important to protect yourself,” Kasiliauskis said.
It’s advisable to reveal the least possible amount of private information on adult sites, use aliases instead of real names, create separate email accounts not linked to the primary ones, and be wary of phishing attempts or suspicious emails related to adult sites.
“Use a VPN – it masks your IP address, making it difficult for websites and third parties to track your browsing habits. VPN also encrypts your internet traffic, protecting it from being intercepted by bad actors or your internet service provider. Choose private browsing modes, such as Incognito on Chrome, to prevent the browser from storing history, cookies, and site data locally. Use a new tab for each session, that reduces the risk of tracking across multiple sessions,” Kasiliauskis said.
Secure Elasticsearch clusters
Unprotected Elasticsearch instances have led to many leaks, exposing user data and company secrets. Often, human errors lead to these incidents.
“Implement strong authentication mechanisms. Elasticsearch supports native authentication, as well as integrations with LDAP (Lightweight Directory Access Protocol, a vendor-neutral software protocol for organizing and accessing information about users and resources in a network), Active Directory, and other identity providers. Restrict access to the Elasticsearch cluster by configuring firewalls and security groups to allow only trusted IP addresses,” Kasiliauskis continued.
For highly sensitive data, he advises considering field-level encryption to encrypt specific fields within the documents.
“Also, mask or anonymize sensitive data fields (e.g., usernames, and IP addresses) where possible to reduce the impact of potential future leaks.”
Tight access controls, which include universal multifactor authentication, monitoring for suspicious login attempts, whitelisting access from trusted locations, and enforcing strict login rules, can prevent some of the worst cybersecurity incidents.
Your email address will not be published. Required fields are markedmarked