An absolute treasure trove of stolen data has been discovered, in the form of an unsecured database from cam site CAM4.
Researchers from Safety Detectives discovered a seven terabyte (7TB) database containing 10.88 billion records from CAM4, including personal information and chat records.
Personally identifiable information including payment logs and IP addresses were found in the database, which appears to date back as far as March 16, 2020, according to the researchers.
Password information was visible (though partly hashed) and credit card amounts and types were also included, all tied to the same accounts as some rather explicit chat logs. Device information, customer service logs, preferences and orientation were all in the trove.
Worst hit was the US, with 6.55 million records exposed, followed by Brazil, Italy, France, Germany, Spain in descending order. The UK had 1.62 million records exposed.
As noted by the researchers, it’s the smaller number of cases where multiple pieces of information about a single individual have been obtained.
“Altogether, a ‘few hundred entries’ revealed full names, credit card types and payment amounts. The combination of all three is a critical aspect — as opposed to having limited access to just payment amounts without full names — because in unison they create a far greater security risk compared to just one or two information points in isolation,” they said.
The data was hosted by ElasticSearch in a full production database. Often, databases (not just those from ElasticSearch) are unencrypted by default, and have to be scrambled as part of the set up process. That means that human error is as likely as any sort of foul play.
It wasn’t established by the researchers whether anyone had accessed the data, but given that it was in the public domain, it’s quite possible. As well as customer information, the data also included information on spam and malware combatant policies that would be very useful in the wrong hands.
It’s not even a case of ‘in theory’ – you may remember a few years ago, dedicated adultery portal Ashley Madison was clobbered for 37 million records which were then used as blackmail fodder against users.
The offending CAM4 server has now been taken offline, but the data may already have been copied. If you’re a CAM4 user, we’d recommend changing any passwords which are shared with CAM4, and keep an eye on your identity for a bit, just in case.