A recent hack of eight poorly secured adult websites has exposed megabytes of personal data that could be damaging to the people who shared pictures and other highly intimate information on the online message boards. Included in the leaked file are (1) IP addresses that connected to the sites, (2) user passwords protected by a four-decade-old cryptographic scheme, (3) names, and (4) 1.2 million unique email addresses, although it’s not clear how many of the addresses legitimately belonged to actual users.
Robert Angelini, the owner of wifelovers.com and the seven other breached sites, told Ars on Saturday morning that, in the 21 years they operated, fewer than 107,000 people posted to them. He said he didn’t know how or why the almost 98-megabyte file contained more than 12 times that many email addresses, and he hasn’t had time to examine a copy of the database that he received on Friday night.
Still, three days after receiving notification of the hack, Angelini finally confirmed the breach and took down the sites on early Saturday morning. A notice on the just-shuttered sites warns users to change passwords on other sites, especially if they match the passwords used on the hacked sites.
“We will not being going back online unless this gets fixed, even if it means we close the doors forever,” Angelini wrote in an email. It “doesn’t matter if we are talking about 29,312 passwords, 77,000 passwords, or 1.2 million or the actual number, which is probably in between. And as you can see, we are starting to encourage our users to change all the passwords everywhere.”
Besides wifelovers.com, the other affected sites are: asiansex4u.com, bbwsex4u.com, indiansex4u.com, nudeafrica.com, nudelatins.com, nudemen.com, and wifeposter.com. The sites offer a variety of pictures that members say show their spouses. It’s not clear that all of the affected spouses gave their consent to have their intimate images made available online.
Whatever the number of real accounts exposed, this latest hack harkens back to the 2015 breach of the Ashley Madison dating service for cheaters. That earlier breach made public the intimate details of 36 million account holders. Within weeks, affected users were receiving emails from unknown people threatening to notify spouses of the irinfidelities unless the users paid hefty ransoms. Reports of at least two member suicides soon surfaced.
In many respects, the most recent breach is more limited than the hack of Ashley Madison. Whereas the 100GB of data exposed by the Ashley Madison hack included users’ street addresses, partial payment-card numbers, phone numbers, and records of almost 10 million transactions, the newer hack doesn’t involve any of those details. And even if all 1.2 million unique email addresses turn out to belong to real users, that’s still considerably fewer than the 36 million dumped by Ashley Madison.
“Devastating for people”
Still, a quick examination of the exposed database demonstrated to me the potential damage it could inflict. Users who posted to the site were allowed to publicly link their accounts to one email address while associating a different, private email address to their accounts. A Web search of some of these private email addresses quickly returned accounts on Instagram, Amazon, and other big sites that gave the users’ first and last names, geographic location, and information about hobbies, family members, and other personal details. The name one user gave wasn’t his real name, but it did match usernames he used publicly on a half-dozen other sites.
“This incident is a huge privacy violation, and it could be devastating for people like this guy if he’s outed (or, I assume, if his wife founds out),” Troy Hunt, operator of the Have I Been Pwned breach-disclosure service, told Ars.
Ars worked with Hunt to confirm the breach and track down and notify the owner of the sites so he could take them down. Normally, Have I Been Pwned makes exposed email addresses available through a publicly available search engine. As was the case with the Ashley Madison disclosure, affected email addresses will be kept private. People who want to know if their address was exposed will first have to register with Have I Been Pwned and prove they have control of the email account they’re inquiring about.
Also concerning is the exposed password data, which is protected by a hashing algorithm so weak and obsolete that it took password cracking expert Jens Steube just seven minutes to recognize the hashing scheme and decipher a given hash.
13 chars base64 usually descrypt (-m 1500 in hashcat)
— hashcat (@hashcat) October 18, 2018
Known as Descrypt, the hash function was created in 1979 and is based on the old Data Encryption Standard. Descrypt provided improvements designed at the time to make hashes less susceptible to cracking. For instance, it added cryptographic salt to prevent identical plaintext inputs from having the same hash. It also subjected plaintext inputs to multiple iterations to increase the time and computation required to crack the outputted hashes. But by 2018 standards, Descrypt is woefully inadequate. It provides just 12 bits of salt, uses only the first eight characters of a chosen password, and suffers other more-nuanced limitations.
“The algorithm is quite literally ancient by modern standards, designed 40 years ago, and fully deprecated 20 years ago,” Jeremi M. Gosney, a password security expert and CEO of password-cracking firm Terahash, told Ars. “It is salted, but the salt space is very small, so there will be thousands of hashes that share the same salt, which means you’re not getting the full benefit from salting.”
By limiting passwords to just eight characters, Descrypt makes it nearly impossible to use strong passwords. And while the 25 iterations requires about 26 more time to crack than a password protected by the MD5 algorithm, the use of GPU-based hardware makes it easy and fast to recover the underlying plaintext, Gosney said. Manuals, such as this one, make clear Descrypt should no longer be used.
The exposed hashes threaten users who may have used the same passwords to protect other accounts. As mentioned earlier, people who had accounts on any of the eight hacked websites should examine the passwords they’re using on other sites to make sure they’re not exposed. Have I Been Pwned plans to disclose the breach soon. People who want to know if their personal information was leaked should register with the breach-notification service now and check back over the next day or so.
The hack underscores the risks and potential legal liability that comes from allowing personal data to accumulate over decades without regularly updating the software used to secure it. Angelini, the owner of the hacked sites, said in an email that, over the past two years, he has been involved in a dispute with a family member.
“She is pretty computer savvy, and last year I required a restraining order against her,” he wrote. “I wonder if this was the same person” who hacked the sites, he adds. Angelini, meanwhile, held out the sites as little more than hobbyist projects.
“First, we are a very small company; we do not have a lot of money,” he wrote. “Last year, we made $22,000. I am telling you this so you know we are not in this to make a ton of money. The message board has been operating for 20 years; we try hard to operate in a legal and safe environment. At this moment, I am overwhelmed that this happened. Thank you.”