Pierluigi Paganini January 26, 2017

The personal details of 180,000 members of the underground ‘Upskirt’ porn website The Candid Board have been leaked online.

Some data breaches are more uncomfortable the others due to the nature of the affected services, porn and dating websites belong to these categories.

The personal details of roughly 180,000 members of the underground ‘Upskirt’ porn website The Candid Board have been leaked online due to a misconfigured database. The Candid Board is an ‘Upskirt’ porn website focused on the sharing of images, videos, and discussions about girls and women who appear to be unaware they are being spied.

The leaked data includes 178,201 unique email addresses, usernames, hashed passwords, dates of birth, IP addresses and other information such as ‘join date’, ‘last post date’ and ‘reputation’ point statistics.

The subscription fee is at $19.99 a month, but it seems that there were no financial data included in the data leak.

The IBTimes UK obtained the leaked data from a source who wished to remain anonymous and analyzed it.

“The details from the leaked database, which has now been secured, were reportedly obtained from September 2015. They were being managed by a US-based cloud hosting provider called Webair.” 

“Rather than try to track down a forum administrator, who probably doesn’t want to be tracked down, I decided to contact the hosting company Webair,” our source said. “I made my way through an automated system and pushed the buttons for tech support.

“When I described the issue to the support on the other side, he immediately understood what the problem was. It was almost as if they were aware of the problems in their system. We didn’t talk for long. He said he would contact the client and then we hung up.”

Among the leaked details there were 70 military records and 19 government email addresses.

If you want to verify if your email has been exposed you can visit the data breach notification website HaveIBeenPwned that has uploaded the data to its service. In this specific case, the service will allow only verified owners to check for their email.

“It’s amazing how much personal data people will entrust sites of this nature with,” said the popular expert Troy Hunt. “Members provided accurate email addresses and birthdates which combined with their IP address now very clearly ties them back to a site of very questionable legal status.”

IBTimes UK tested a number of the IP numbers in the leaked data and verified that they match their corresponding email address.

“In one example, an IP search for the person using the email “wales.gsi.gov.uk” brought up the result: http://host246.welsh-ofce.gov.uk.”

The source also confirmed to be in possession of another large chunk of data from multiple boards operated by the same company, it seems he had access to another leaked database containing tens of thousands of records from a website called NonNudeGirls.

The recent incident is not an isolated case, in September records belonging to 800,000 users of Brazzers porn website were leaked online.

While the stolen data relates to login details for the Brazzers forum rather than the main site, it is thought that many users have duplicated their passwords across both.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – ‘Upskirt’ porn website, hacking)