Massive privacy risk as hacker sold 2 million MyFreeCams user records

The same hacker also sold almost 19,000 customers’ records stolen from a Hong Kong-based online shop.

The same hacker also sold almost 19,000 customers’ records stolen from a Hong Kong-based online shop.

Stolen data of around 2 million users of an adult streaming website MyFreeCams (MFC) was up for sale on an online hacker forum for $1,500 worth of bitcoin per 10,000 records.

The threat actor selling the data claimed that a single batch would rake in at least $10,000 for the buyer on the black market.

See: 3TB of clips from exposed home security cameras posted online

The hacker offered sensitive information like usernames, plain text passwords, email IDs, and MyFreeCams Token (MFC Token) amounts. 


Hacker Made $22,400 in Bitcoin

The post and the account on the hacker forum are now deleted and the cryptocurrency wallet is also emptied after the hacker collected $22,400 in Bitcoin through 40 transactions.

MFC is one the largest adult chat and web streaming platforms with a monthly visitor turnout of over 70 million. 

Data Stolen in December 2020

MyFreeCams data, according to the hacker, was stolen in December 2020 via an SQL injection attack. The stolen data includes records of 2 million premium members of the site.

The company issued a statement claiming that it has notified impacted users and reset the passwords. Their investigation traced the data to a security breach from June 2010 while the exploit was closed immediately after the breach.

“MFC’s current systems prevent any similar attack. Until now, MFC did not have evidence that user data was actually compromised as part of the incident. We have informed affected users by email and reset their passwords. No credit card information was stored or compromised,” the company told CyberNews.

Users at risk of Extortion

This data leak may put all MyFreeCams users at risk of extortion as hackers may try to blackmail them. They also have become vulnerable to a variety of attacks, including the credential stuffing attacks.

Hong Kong-based online shop data can confirm that the threat actor also sold database access to an unknown HongKong based online shop. Apart from database access, the personal data of 18,800 customers/members was also sold to buyers.


At the time of publishing this article, both posts were removed from the hacker forum considering that the seller successfully sold the data to interested parties.

Did you enjoy reading this article? Don’t forget to like our page on Facebook and follow us on Twitter

Related Posts