Manwin Denies Compromise of a Million Users’ Data

LUXEMBOURG—Massive adult tube site YouPorn is denying that personal data belonging to as many as a million users of YP Chat has been compromised, as many news outlets are reporting. In a YouPorn blog post yesterday, VP of Operations Brad Black said that no YouPorn data was “exposed” at all. “The real focus of the recent news is YP Chat, an entirely separate service that was linked to from YouPorn.com,” wrote Black. “The chat service is owned and operated by a third party and is in no way associated with YouPorn.com. YP Chat is hosted on separate non-YouPorn servers and a security issue on said servers in no way creates a gateway to YouPorn.com’s secure data.” That assertion is contradicted by other reports saying that email addresses, passwords and dates of birth for up to a million users of YP Chat were compromised.  According to Anders Nilsson, CTO of EuroSecure, “Hackers have already started going through the lists, checking which users have the same password for e-mail or Facebook, and have posted some intimate pictures found in some users’ sent/received e-mail.” YouPorn is not denying that there was an incident. “With respect to YP Chat user data, we’ve taken it upon ourselves to do an independent analysis,” wrote Black. “The investigation revealed that poor security practices resulted in YP Chat’s unencrypted daily user logs being left in an unsecured public directory.” But he added that the scope of the exposure was much less than is being reported, saying, “Some reports have used this information to claim that millions of user accounts were compromised. However, that is simply not the case. As the logs maintained daily records, users that accessed their YP Chat accounts on a recurring basis would have their activity appear in countless log files. This resulted in some media outlets over-inflating the number of affected users, where in actual fact the number of unique users affected was several thousand, not millions.” It is possible that several thousand users could account for millions of daily records, but there does not seem to be enough publicly released information at this point in time to know for sure. It is also unclear, despite YouPorn’s denials, whether any data belonging to YouPorn.com users has been exposed. Of course, Black seems to be referring to YouPorn.com users as opposed to YP Chat users, but is it not possible that more than a few people registered with both using the same information? YouPorn is taking the incident it admits has had a “negative impact on YouPorn users” very seriously, calling it “disheartening” and advising people, “If you have an YP Chat user account and use the same login information for any other website or service it is recommended that you update your information on other sites immediately.” Such attention is warranted, especially after the recent hack of another Manwin-owned online property, a Brazzers forum, which a 17-year-old kid compromised by way of a secondary website connected to the primary target. However, stated Graham Cluley on Naked Security, “Unlike the recent Brazzers porn site hack… sloppy practices are being blamed for the YouPorn incident, with debug data about users seemingly being stored in a public fashion since 2007.” Nilsson was even more unforgiving, writing, “For a security professional it is baffling how coders working on a website with such sensitive content can make mistakes of this magnitude. Allegedly hundreds of megabytes of data has been secured by people with unknown goals. Cyber criminals can easily go through these e-mail addresses and match them with passwords and this way gain access to e-mail accounts. Once they are in, they can secure even more sensitive information to use in phishing attacks, theft, or fraud.” Even if the scale of the impact is less than is being reported, there is now more scrutiny than ever before on the security practices and protocols of arguably the largest porn company in the world. AVN contacted Manwin for additional comment, but a reply was not immediately forthcoming.