Users and performers of the cam site operator VTS Media have become victims of a huge data leak. The partially sensitive data is said to have been accessible for months due to an unencrypted database.
The cam sites Amateur.tv, PlacerCams.com and WebcamPornoxxx.net operated by the Spanish webcam company VTS Media apparently accidentally made the data of their actors and customers accessible to strangers between the end of May and the beginning of September.
According to TechCrunch, the logs of the VTS site network were easy to access for months. In addition to the user data, the private information of the performers might also have been explosed. The leak even included detailed information such as login attempts, user names, IP addresses and even passwords and chat messages between users though some of this is disputed by VTS Media.
Either way the critical vulnerability in the database of the cam network detected by the cybersecurity company Condition:Black was massive. Although the problem has now been fixed and the gap closed, security expert John Wethington says: »This was a serious failure from a technical and compliance perspective. After reviewing the sites’ data privacy policy and terms and conditions, it’s clear that users likely had no idea that their activities being monitored to this level of detail.«
In the meantime, VTS Media has also addressed the public with a statement. The company assured that it would cooperate with the Spanish data protection authority and take measures to avoid similar incidents in the future.
However, the company is simultaneously downplaying the problem and denying the extent of the report by Condition: Black. According to VTS Media, the claim that millions of users have been affected is exaggerated. The company reports a total of 330,000 users as being theoretically affected.
A representative of the company says: »[All] of the data stored in our main database is encrypted and unreachable. There are no payment, billing, card or password data compromised. Card payments are processed by an external provider specialized in handling this type of sensitive data. Users’ passwords have not been compromised and are not kept as plain text; therefore, they do not need to be changed by the users.«
According to VTS Media, only technical log data was accessible, which is automatically deleted after six months, data that is evaluated and used exclusively for internal analyses and reports. However, e-mail addresses and IP addresses were still vulnerable, but no passwords were compromised, assures VTS. What the data security company had found in its report was not passwords, but failed login attempts with incorrect password entries.
The situation was even less dramatic for the actors and performers than initially thought. Only 0.5% of the performer accounts were affected. The affected performers are being contacted by VTS Media. The company is keen to reassure concerned customers and performers. According to the company’s own knowledge, nobody other than the security company and VTS Media itself was aware of the security gap and therefore it doesn’t think any data was misused.
Further information can be found on the company’s website.