Hacking, just like all other Internet businesses, is morphing to survive. And to be very clear, hacking is a business.
Before people make funny jokes, no, hackers do NOT hack into porn sites for the pictures. They could use stolen credit cards if that was all they wanted.
The porn site Brazzers was hacked, apparently back in 2013, but the data is surfacing now. The passwords are from a forum part of the site, but the main site and the forum shared userids and passwords, for convenience.
It is important to understand that the fact that the data is surfacing now does not mean that it hasn’t been used for the last three years by the hacker. It could mean that the hacker got hacked or it could be that this is yet another way to monetize the data.
It is believed that the hacker(s) took advantage of fact that the site was running an old version of vBulletin, the software that users interacted with. There have been other breaches of vBulletin sites such as Grand Theft Auto.
The data taken included names, email addresses and passwords. The passwords were not encrypted.
So let’s review what we know so far:
- The operator of the web site did not think it was important to patch the web site and run the most current version of the web site software to at least make it harder for hackers to break in.
- The Operator of the web site did not consider security to be important given that they did not encrypt the user’s passwords.
Ignoring, for the moment (I will get back to it) that this was a porn site, what thoughts come to mind?
The first thought is that this could be any web site that I visit. How would I know if the web site owner used current software or not and how would I know whether they encrypt passwords? I need to consider this as I provide data to any web site that I visit.
The second thought is that if the site stores passwords unencrypted (remember, this could be any site) and I reuse passwords between sites, there is nothing to stop the web site owner or a hacker from trying my unencrypted password on any other site to see if it works. Kind of like testing a key in a lock. If it works, then bingo.
This is yet one more reason not to reuse passwords.
One easy way to tell that the web site likely stores your password unencrypted is if they send you an email with your password in it after you register (yes, this happens to me regularly and with some seemingly mainstream web sites). Since email is not secure, this also tells you that they are clueless about security. The second way to tell is if, when you forget your password, they email your password to you. Technically they could do both of these if they encrypted the password with a key that they have, but if they did this, it is not much more secure than storing it unencrypted.
Getting back to why hack a porn site, the obvious answer is to extort money from the members.
People, for some unknown reason, sometimes use their work email to register for these sites. The blackmailer can threaten to tell your boss that you are active on a porn site. He or she can also threaten to tell a spouse or publicly out you to get a ransom. Even if the amount of the extortion is small by blackmail standards – $100 per user – that equates to $800 million if every user paid up (which of course, would not happen). If 10 percent of the users paid, that would be $80 million.
Other possible people to out you to might include your church, your kids school, a public officials constituents and co-workers.
In this case, since this was a forum site, people would be discussing their thoughts about the performers and their activities and actions they might like the performers to do in the future. This can get pretty warped, pretty fast. Given the hacker has the userid and password, getting this data is not very hard. And given the likely warped nature of the conversations, it ups both the likelihood of people paying and the price of silence.
Remember during the Sony hack where those emails surfaced that were not very appropriate. People lost their jobs. If an executive at a company was outed regarding his or her porn fantasies, that executive might also be unemployed. That would definitely be worth more than $100 to bury.
A couple of lessons here –
- Do not reuse passwords. You have no clue how diligent the owner of the web site is. You don’t know if the web site has been hacked and, in many cases, neither does the owner of the web site.
- If you must participate in shady web sites (and I don’t just mean porn sites, I mean any site that you do not have a high degree of confidence in. Facebook likely has decent security, but can you say the same about the last web site that you created a userid at – or worse yet, logged in to with your Facebook credentials), create a generic Gmail account (Bob47932@gmail.com) and a unique password so that it is much harder to tie it back to you. Do not enter your real name and address and if it requires a credit card, use a disposable one available at the grocery store and do not register that card to you.