Adult websites shuttered after 1.2 million user details exposed

The database behind Wife Lovers – a site dedicated to posting nudes and erotica about wives – has been breached, exposing a total of over 1.2 million unique email addresses.

Wife Lovers was one of eight adult websites that relied on the database, putting at risk the intimate messages of the users and photos that they said were of their wives – some of whom may not have a clue that their photos were being posted in the first place.

The other sites:

  • asiansex4u.com
  • bbwsex4u.com
  • indiansex4u.com
  • nudeafrica.com
  • nudelatins.com
  • nudemen.com
  • wifeposter.com

The owner of Wife Lovers and the other seven sites, whom Ars Technica identified as Robert Angelini, said on his Wife Lovers site that he’d been notified – by a source “we feel is credible” – that an unnamed security researcher got access to the sites’ message boards and had downloaded registrants’ personal data.

The breached information includes:

  • Email addresses
  • Posting IDs
  • Encrypted passwords
  • IP address used to register on the sites

Angelini told Ars on Saturday morning that, in the 21 years they operated, fewer than 107,000 people posted to the eight adult sites. Yet the 98MB database he received on Friday was mysteriously plump: it had 12 times as many email addresses as the total number of users who’ve posted to the sites, Angelini told Ars. It’s not clear if all the email addresses belong to legitimate users.

Angelini confirmed the breach on Saturday morning and took down the sites. He also put up a notice on the shuttered sites, warning users to change their passwords elsewhere, particularly if they’ve reused passwords on multiple sites:

When you post on the message board your email address and posting ID is already shown in your post. Thus, if someone is able to “crack the code” of the encrypted posting password they might be able to log into other websites that you use the same password associated with that posting ID or email address on our website.

As far as cracking the code goes, it was done pretty much instantaneously. The encryption used on the passwords is worthless: as Ars Technica’s Dan Goodin describes, it’s a four-decades old, weak hashing scheme that took password-cracking expert Jens Steube only seven minutes to recognize and to then decipher a given hash.

The hash function is known as DEScrypt. Created in 1979, it’s based on the old Data Encryption Standard (DES): an algorithm that the National Security Agency (NSA) did two things to after IBM submitted it as a standard: 1) tweaked the algorithm to close a backdoor it secretly, allegedly knew about, and 2) cut the key size in half, making it too small to fend off brute-force attack.