If you can’t trust a porn site to keep your personal details safe, then who can you trust? Yes, it seems that yet another adult entertainment company has leaked its members’ information all over the web. Two months ago it was Brazzers; now it's claimed that xHamster has been caught with its virtual pants down.
According to a report by Motherboard, breach notification site LeakBase has revealed that 380,000 users were affected by the hack, which has resulted in credentials, including usernames, email addresses, and “poorly hashed” passwords, being traded on the digital underground.
xHamster doesn’t require viewers to create accounts, but those who do can post comments, create personal collections, and upload their own videos. While that 380,000 figure does sound like a lot, the site claims to have 12 million members.
The report adds that 40 of the email addresses in the database belong to the US Army, and 30 are related to various US, UK, and other countries’ government bodies.
It’s not clear exactly when the breach took place, but the information was being traded at around the same time an anonymous hacker found a vulnerability in xHamster earlier this year. Exactly how the hacker or hackers got all the details is unclear.
“The passwords of all xHamster users are properly encrypted, so it is almost impossible to hack them. Thus, all the passwords are safe and the users data secured,” a spokesperson for the company said. However, Motherboard says the site uses the outdated MD5 hashing algorithm, which hackers can easily crack.
Responding to the Motherboard report, xHamster claims no hack took place. "The only way to respond to this news is to coin a new term: 'Fhack.' A fhack is best defined as a fake hack. There was a failed attempt to hack our database which occurred 4 years ago. The integrity of our user data is secure. Passwords are encrypted and impossible to hack. In short, this was a successful fhack; and a failed hack."
When asked how xHamster's user emails found their way into the hands of data traders, the site said: "We cannot validate that the emails are real and we don't believe that this is a genuine database." Strangely, Motherboard said it has independently verified the leaked email addresses and usernames.