Adult website CAM4 exposed 7TB data due to a misconfigured Elasticsearch server


Adult live streaming site CAM4 found leaking data of millions of users

Its raining Terabytes. Top adult website CAM4 based in Ireland has exposed personal identifiable information of its 11.8 million users including payment card details and email addresses.

The security researchers led by Anurag Sen from Saftey Detectives found that the Adult live streaming website CAM4 may be exposing a whopping 7 terabytes of data. The security researchers found that the exposed data contained around 11 million records containing emails, 26+ million entries with passwords hashes, and a few hundred entries containing full names, credit card types, and payment amounts. is an adult live streaming website owned by Irish company Granity Entertainment. Security researchers at Safety Detectives discovered CAM4’s database exposed to public access without any security authentication on a misconfigured Elasticsearch server. The data could have been easily stolen, collated, and sold on dark web hacker forums. The researchers found that the exposed information could easily identify the user.

Other data included the company’s production logs dating from March 16th, 2020, personally identifiable information (PII) like full names, usernames, gender, country, IP addresses, conversations, spam and fraud logs, and payment logs including credit card type, etc.

Most impacted users were found to be from Brazil, Italy, and the United States while most of the email addresses were based on Gmail, Hotmail, and iCloud.

“User emails could be targeted with leaked data then used maliciously to trigger clicks with phishing and malware scams deployed against unsuspecting targets,” Sen says. “The fact that a large amount of email content came from popular domains such as Gmail, Hotmail and iCloud — domains that offer supplementary services such as cloud-storage and business tools — means that compromised CAM4 users could potentially see huge volumes of personal data including photographs, videos and related business information leaked to hackers — assuming their accounts were eventually hacked via phishing as one example. This information could then be weaponized to compromise other individuals and groups such as family members, colleagues, employees and clients of other businesses.”

The researchers pointed out that since CAM4 was an adult live streaming website, the information leaked could easily be used to extort money from CAM4 users. While there is nothing to prevent cyber extortionists to target random users/email addresses with threatening emails, the probability of success is higher if they can demonstrate that they do know something about the victim.

The researchers found no indication at the moment that the database has been accessed by anyone else except authorized users and the researchers. If you are on CAM4, change your password and get in touch with the company about the breach.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments