Just two weeks ago, hacked data on more than 412 million users of FriendFinder Networks’s adult websites was dumped online. Now hackers have reportedly compromised another popular adult website, xHamster.
The hack only impacted a fairly small portion of xHamster’s total userbase. Though it’s estimated that xHamster logs about a billion visitors every month only around 12 million users have signed up for accounts. Of those, Motherboard is reporting that just 380,000 were exposed in the breach.
The fact that only 3% of xHamster users have been exposed is good news for the other 11-plus million users, at least for now. As for the victims, xHamster had some reassuring words for them, too. In a statement to Motherboard, xHamster claimed that its users were perfectly safe, saying that “the passwords of all xHamster users are properly encrypted, so it is almost impossible to hack them.”
Unfortunately what counts as “properly encrypted” seems to be open for debate. Motherboard says that xHamster used the outdated Md5 hashing algorithm to protect passwords. MD5 was also used by Ashley Madison, and it was barely an inconvenience to anyone who wanted to trawl through records looking for a juicy scoop for the news cycle or, in more than a few cases, an extortion victim.
It’s unlikely that there’s as much potentially damaging information in an xHamster user’s profile. Still, the 70 or so users who registered with military and government email address no doubt wish they hadn’t been revealed. Other victims who didn’t have the foresight to register with a disposable email or alias are probably feeling the same way.
I reached out to xHamster to confirm Motherboard’s findings, and was told that “there was a failed attempt to hack our database which occurred 4 years ago.” Motherboard did find several accounts in the dump that appeared to be registered on xHamster’s site, but a company spokesperson assured me that “the “integrity of [their] user data is secure.”
Source: SANS ISC SecNewsFeed @ November 29, 2016 at 03:33PM