Data of 250K Users of Sex Industry Website on Sale for $300
A hacker has exploited a vulnerability on Dutch website Hookers.nl to appropriate the account details of all 250,000 users, which he is now offering for sale on the dark web.
The exposed data includes the email addresses, usernames, IP addresses, and passwords of sex workers and their clients. In a sample of the data viewed by Dutch news broadcaster NOS, the passwords were encrypted, but the email addresses—many of which included the actual names of the users—were fully legible.
The hacker, an unknown man, expressed no guilt or regret over his actions, telling NOS: "Tens of thousands of websites are hacked every day. I'm not the devil. It's not a question of whether your website is hacked, but when."
According to NOS, while the hacker hasn't completed any sales of the data yet, it is available for purchase by any interested parties for a mere $300.
A moderator for Hookers.nl wrote: "Offering this information for sale is punishable by law, and if possible, we will take legal action. In addition, a report has been made to the Dutch data protection authority."
Hookers.nl is a popular website among sex workers and their clients, who use it to write reviews, exchange tips, and share their experiences of the sex industry. The website confirmed to NOS this morning that the breach had occurred and issued the assurance that all users would be notified.
The breach occurred as a result of a technical weakness in the vBulletin forum software, which was revealed a few weeks ago. The opportunistic hacker told NOS that he exploited the hole before the company behind the website, Midhold, plugged it with a patch on September 25.
"It is of course not an account of your internet provider that leaked, maybe you don't want people to know that you have an account here. We are not happy with this," said Tom Lobermann, spokesperson for Midhold, which also operates Kinky.nl, Erotracks.nl, and Webcambordeel.nl.
A breach of this kind carries with it the threat of blackmail. Arda Gerkens of the Help Wanted foundation, who assists victims of sex-related abuse, said: "Membership in such a forum is certainly something someone can be extorted with. Some people are not secretive about their prostitution visit, but it is certain that when people use a nickname, they want to remain anonymous."
Hookers.nl has set up a forum page for users who want their accounts to be removed.
Source: Information Security Magazine