Hack of Luscious anime porn site exposed identities and info of 1.2m users

20 Aug 2019

Image: © LIGHTFIELD STUDIOS/Stock.adobe.com

Researchers at VPN Mentor discovered a data breach that revealed the identities of more than a million users of an anime porn ‘hentai’ website.

When users hand over their personal data, there is an expectation that this data will remain private and secure. This expectation takes on a new level of urgency when it comes to sex and dating apps, as often people will be disclosing deeper desires they may not want to reveal publicly. Hence, the recent security vulnerabilities discovered in threesome and swingers dating app 3fun caused quite a stir.

Members of the porn website Luscious, therefore, may be disappointed to know that a research team from VPN service VPN Mentor discovered a data breach that exposed information on the site’s almost 1.2m ‘anonymous’ users.

Luscious is described by the research team, led by Noam Rotem and Ran Locar, as a niche adult website that focuses primarily on animated and user-uploaded content, primarily of the anime or manga porn variety, which is collectively known as ‘hentai’.

Zack Whittaker of TechCrunch, who first broke the story, has described the site as “one of the most popular websites in the US” and is, per Alexa data, ranked in the top 5,000 sites in traffic.

By the researcher’s estimates, the site has in excess of 1m registered users, each of which has a profile that the team were able to access during their research.

The data breach the team discovered compromises the anonymity that many of the users operate under and exposes their personal email addresses, records of their activity on the side, locations and more. Though the researchers estimated that 20pc of the email addresses used were fake, most of them were real and some exposed users’ full names, increasing their vulnerability to exploitation and cybercrime.

Possible impact

“The highly sensitive and private nature of Luscious’ content makes users incredibly vulnerable to a range of attacks and exploitation by malicious hackers,” the researchers explained.

They also noted that many of the accounts were linked to blog posts and content published on the site, which included extremely personal writing, including “depressive and otherwise vulnerable content”.

The site owner, after attempts by both TechCrunch and the VPN Mentor research team to alert them to the breach, eventually responded and confirmed that the information had been compromised.

“We will be reaching out to any compromised users to warn them about the potential exposure of their private email addresses,” the site owner said.

The research team warned that the impact of this breach could be devastating both personally and financially for users and could leave them vulnerable to doxing, phishing, extortion and more.

The team also pointed out that from a commercial perspective, the exposure of this data could hurt Luscious, as it will allow the site’s competitors to analyse user behaviour and target them with alternatives.

Eva Short was a journalist at Silicon Republic

editorial@siliconrepublic.com