The vpnMentor cybersecurity research team, led by Noam Rotem and Ran Locar, have uncovered a leaking S3 Bucket with 19.95GB of visible data on a Virginia-based Amazon server, belonging to an adult site.
The site is an explicit ‘cam’ affiliate network that owns many adult-oriented websites and has as many as 66 million subscribers. This leak has exposed the personal data of more than 4,000 models and more than 875,000 files.
According to the vpnMentor report, there are at least 875,000 keys, which represent different file types, including videos, marketing materials, photographs, clips and screenshots of video chats and zip files. Within each zip folder – and there is apparently one zip folder per model – there are often multiple additional files (e.g. photographs and scans of documents), and many additional items that Rotem and Locar chose not to explore. The folders included could be up to 15-20 years old, but are also as recent as the last few weeks.
Photographs and scans of full passports and national identification cards, including visible:
- Full name
- Birth date
- Birthplace
- Citizenship status
- Nationality
- Passport/ID number
- Passport issue & expiration dates
- Nationally registered gender
- ID photo
- Personal signature
- Parent’s full names
- Fingerprints
- Additional country-specific details (e.g. emergency contact information for UK citizens)
Leaked photographs and scans of Driver’s Licenses, include visible: Driver’s License number, photo, date of birth, height/weight, registered gender, full address, signature, type of vehicle the individual is permitted to operate and other additional PII, varying by country (such as organ donor status and visual impediments for US citizens and Social Security Numbers).
Rotem and Locar said that there are more than 28 countries affected by the data breach, including all continents. These are the countries that the research team found, but they did not open each file and it is possible that there are more nationalities affected by the leak. The models and subscribers may be at risk of identity theft, scams, blackmail or extortion, job loss, legal repercussions and even stalking by fans.