Hacker stole details of 250,000 users from Dutch sex worker forum

10 Oct 2019

Image: © essentialimage/Stock.adobe.com

A hacker has stolen the data of 250,000 users of a Dutch web forum, exposing the email addresses of both clients and workers.

A Dutch sex worker forum where clients can rate and review workers, Hookers.nl, has experienced a data breach, according to Dutch broadcaster NOS.

NOS reached out to the hacker, who reportedly stole the credentials of 250,000 users, and confirmed that the leak included details such as usernames, encrypted passwords, IP addresses and emails. According to the broadcaster, which was able to view some of the data, it is possible to discern the real names of many of the forum members by looking at the email addresses.

The breach was made possible due to a vulnerability in vBulletin, the forum’s software provider and one of the most popular software forum providers on the internet, which allowed outsider access to a site’s database.

Selling information

In September, an anonymous security researcher released details about the zero-day bug discovered in vBulletin, which led security experts at the time to fear that it could give way to a spree of forum hacks. The vulnerability has since been patched by the company, as explained in a statement by a Hookers.nl moderator.

The statement continued: “Nevertheless, a data breach has occurred and the email addresses have been stolen from all users. Please note the passwords. These email addresses have been offered for sale online by hackers. Offering this information for sale is punishable by law and if possible we will take legal action against this.”

The hacker is reportedly asking for $300 for the stolen data and has yet to sell it, but seems confident he will be able to pass the information on. He told NOS: “Certainly people will want to buy it, bro.”

Commentators have voiced concerns that the stolen data could, due to its sensitive nature, be used in various forms of blackmail. The breach has already begun to draw comparisons with the Ashley Madison hack in 2015, in which the entire database of adultery-promoting website was stolen.

Eva Short was a journalist at Silicon Republic

editorial@siliconrepublic.com