The database was left exposed on an Elasticsearch Cluster without any password or security authentication.
StripChat is one of the top five adult cam sites on the internet. Earlier this month, this site suffered a database mess up that leaked sensitive data, including payment details and chat messages of roughly 200 million of the site’s adult cam models and users.
StripChat is a Cyprus-based website founded in 2016, and it sells its users live access to nude models. The exposed data was reported to StripChat on the day it was discovered, and the company secured it within three days.
Comparitech’s security research head, Volodymyr Bob Diachenko, reported that a database containing highly sensitive information on the site’s models and users was identified online without password protection. The database was discovered on Elasticsearch Cluster on 5 November.
About Exposed Data
The data included 65 million user records that comprised email IDs, IP addresses, the sum in tips given to the models, timestamp of when the account was created, and user’s last activity.
The other database they discovered contained roughly 421,000 records of the site’s models. The exposed data included models’ usernames, gender, tip menus, studio IDs, and prices, as well as Live Status and Strip Score.
“A transaction database of circa 134 million records with information about tokens and tips paid by users to models, including private tips. A moderation database of about 719,000 chat messages sent to models, including both private and public messages. Each record contains the user ID of the viewer who sent the message,” Diachenko explained in his blog.
Risks Associated with Exposed Data
According to Diachenko, the database has exposed around 200 million models and users to various threats, including phishing campaigns, extortion, and violence.
“The exposure could pose a significant privacy risk for both Stripchat viewers and models. If the data was stolen, they could face harassment, humiliation, stalking, extortion, phishing, and other threats, both online and offline,” Diachenko noted.
The researcher claimed that it wasn’t clear whether some unauthorized individual accessed it or not. The database was secured on 7 November, which means the database was exposed for three days.
“Victims should be on the lookout for targeted phishing emails from fraudsters posing as Stripchat or a related company. Never click on links or attachments in unsolicited emails,” Diachenko suggested in the report.