It looks like the Internet sex site YouPorn just took one in the eye. A years-old coding error has exposed the emails and passwords of over a million of its smut-loving chat users.
The YP site itself wasn't hacked but rather its associated sex-chat site — which is run by an outside company — somehow left bales of unencrypted sign-up information on a public web server. The error was apparently discovered after the sensitive info was uploaded to an FTP server and made available in Torrent form. The Torrent has been reportedly removed from circulation, though one can still find the indexes and some of the older files on archive.org. The breach itself was noticed through a discussion thread on Flashback.org.
"Looking at the data, it seems like a careless programmer accidentally left debug logging on to a publicly accessible URL as early as November 2007, and it has been storing all registrations ever since," said Anders Nilsson, CTO at Swedish security distributor EuroSecure, in a blog post. "The data was found by someone sweeping websites for publicly accessible, but non-linked ('hidden') folders, looking for either porn or sensitive material like this, and struck gold"
YouPorn has already taken steps to contain the breach. The company has completely disabled the chat function, which will remain so until a third-party security analysis has been completed. "YouPorn continues to ensure that all appropriate measures and tools are in place to maintain the security of its infrastructure, and to safeguard the privacy of its users," Manwin Holding SARL spokeswoman Kate Miller said in a statement.
While it's only the chat site that's been offlined (since yesterday), we still recommend following the standard practice of changing your passwords in light of this security breach. It should help prevent further hacking against you stemming from this leak. [The Register - Physorg]