An online hardcore fetish forum has been the subject of a hack, resulting in more than 100,000 user details being leaked. The details include: usernames, IP addresses, email addresses and weakly-hashed passwords.
The breach was discovered by the founder of Have I Been Pwned, Troy Hunt. The service is used to find out if you have been the subject of a data breach by entering your email address. He was made aware of the leak by somebody who is involved in the trading of such information and the person then provided him with a download link for the data. It was verified as accurate by using the password reset function of the affected website.
Whilst talking to the BBC, Troy explained that the forum was exploited by an SQL injection vulnerability, as the site was using an outdated piece of software.
The nature of this breach is worsened by the subject matter of the forum. Many users on this site are unlikely to want their personal sexual fetishes being released - even more so when they have linked their account with their government or military email address, as some users have appeared to do, with several email addresses in the breach appearing as .gov or .mil, as Troy pointed out in a tweet:
Under normal circumstances, you would be able to use Troy"s website to discover if you"ve been involved in a breach. However, some breaches are classed as sensitive, particularly when they may release damaging information against an individual. As such, the people involved in this latest leak will not be able to search publicly if they have been involved, although anyone subscribed to the Have I Been Pwned? service will receive notification emails.
The forum involved is known as The Rosebutt Board; please be warned, this site is of a highly explicit nature. Anyone who has an account on this forum is advised to change their password if they reuse it elsewhere, as the passwords were stored using a weak hashing method.
Source: Fortune