WiHD leak exposes details of all torrent users

World-in-HD (WiHD), a French private video torrent community, left an open instance exposing the emails and passwords of all of its users and administrators.

WiHD, a popular torrent tracker specializing in HD movies, inadvertently exposed tens of thousands of its users, the Cybernews research team has recently discovered.

WiHD is a private tracker dedicated to distributing high-definition video content. Registered users can access French and English-language TV series, movies, animation, and other content.

Unlike public torrent trackers, private trackers are often invitation-only and supposedly maintain high standards for uploaded content. User forums lament the tracker’s exclusivity, with some selling invites to the website for over $100.

However, the Cybernews team discovered a publicly exposed Elasticsearch cluster on WiHD that lacked any password protection. ElasticSearch is a popular tool for managing large volumes of data.

What data was exposed?

According to the team, 97,327 accounts were exposed in the leak. Both WiHD's customers and its administrators had their accounts exposed over the publicly facing instance.

The leaked data includes:

  • User emails
  • IP addresses
  • Service info
  • Usernames
  • Hashed passwords for all torrent users

Exposing sensitive user data to anyone on the internet poses significant security risks, research claims. For example, malicious actors could collate IP addresses with email addresses to pinpoint user locations.

“Threat actors could engage in various illicit activities, such as tracking and identifying users for legal repercussions, launching targeted phishing attacks, or potentially exposing users’ downloading habits, raising privacy and legal concerns for affected individuals,” researchers said.

The likeliest reason for the exposed Elasticsearch instance is a misconfiguration. The team noted that WiHD eventually closed the exposed instance. However, attackers scouring the net could have easily downloaded the data for future use.

More from Cybernews:

Voice scammers are getting smarter: how to set up your phone’s defenses

Boeing claimed by LockBit ransom gang

NASCO exposes data of 800K people in MOVEit breach

Stanford university confirms breach, Akira threatens to publish data

Google agrees to invest up to $2 billion in OpenAI rival Anthropic

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked