Porn Site Luscious Leaks Personal Information of More Than One Million Users

By Melanie Ehrenkranz on at

Security breaches on widely used anonymous communities online threaten to out some of our most personal past-times, especially when those data leaks occur on platforms dedicated to user-created porn.

Researchers revealed this month that a user-generated porn site leaked a damning amount of personal data of its more than one million registered users. The site, Luscious, operates in a way that’s similar to Tumblr and it lets users post content for categories like hentai, fetishes, furries, monster girls, and softcore. While many users post anonymously, this breach effectively outed most of their identifying information on top of their user activity.

Researchers at vpnMentor discovered the Luscious security breach on Thursday. According to a blog post from the researchers, the team was able to access 1.195 million user accounts, all of which were compromised.

They were able to view their usernames, email addresses, activity logs, country of residence, gender, how many albums they created on the site, their video uploads, comments, blog posts, favourites, who they followed and who followed them, and their user ID number.

“Some of these blog posts were extremely personal – including depressive or otherwise vulnerable content – and kept anonymous,” the researchers wrote. “Due to this data breach, however, the blog posts are no longer anonymous, with many of the authors’ identities revealed.” [Emphasis from the researchers.]

The researchers pointed out that while about 20 per cent of the emails they accessed were fake, some of the emails included a user’s full name. What’s more, “many” of the users created profiles using an official government email. According to the blog, less than a thousand had a dot edu email address, and dozens had a dot gov. The latter included officials from Brazil, Australia, Italy, Malaysia, and Australia. The most common countries of residence among all of the users, according to the researchers, were Germany, France, Russia, Poland, and Italy.

The researchers informed Luscious of the breach the day after they discovered it, on August 16, and the company reportedly fixed the issue a few days later. Though it’s unclear how long the data was accessible prior to the fix, and so it’s also unclear whether malicious actors got their hands on it in the interim.

The consequences of such a leak range from the obvious – stripping away a community’s anonymity in a space dedicated to largely deeply intimate content – to the less immediately apparent, such as giving someone the information they need to launch a widespread or targeted phishing and extortion attacks. And another possible vulnerability Luscious faces – which is likely the least of the users’ concerns – is that this data is now available to competitors to leverage to target their users with their own business that might cater to their now public desires.