2020 produced some of the biggest data breaches in history—one of those being the CAM4 data leak that exposed seven terabytes of data, including around 11 billion records with emails and hashed passwords.
CAM4 is an adult platform selling sex cam services to clients around the world. Given the sheer size of the leaked database, it's safe to say CAM4 is very popular with a massive userbase and around 2 billion visitors each year.
To keep your data private try our free 14 day trial with TeamPassword
Data Breach vs. Data Leak
To fully understand the CAM4 fiasco, it's important to differentiate between a data breach and a data leak. In both instances, criminals steal data from an organization, but the circumstances leading to the attack are different.
A data breach is where cyber criminals break into a system or database using nefarious methods, like social engineering and other hacking techniques. Essentially, the criminals actively break into these systems.
Whereas a data leak happens as a result of employee incompetence or negligence. Rather than breaking into a system, criminals happen upon a "backdoor" into a system, like leaving a password exposed or accidentally making a private database public. The latter being the cause of the CAM4 data leak.
How did the CAM4 Leak Happen?
A team of researchers from antivirus software supplier Safety Detectives discovered a CAM4 database in early 2020. The team was performing routine searches for unsecured databases when they stumbled upon CAM4's misconfigured Elasticsearch production database.
Elasticsearch is an enterprise search engine that makes it easy for organizations to search through large databases. The CAM4 Elasticsearch is an internal search engine used by employees to scan user and activity logs.
Someone at CAM4 misconfigured Elasticsearch, putting the database online without any password protection. Anyone with the IP address could have accessed the database.
The CAM4 mishap is not an isolated incident, with many high-profile Elasticsearch leaks happening during 2020 alone! What makes CAM4 unique is the staggering 11 billion records of data.
Before CAM4, the most significant Elasticsearch leak came from Decathlon, who accidentally exposed five billion records.
Security consultant Bob Diachenko says these leaks are relatively common: "It's a really common experience for me to see a lot of exposed ElasticSearch instances... The only surprise that came out of this [CAM4] is the data that is exposed this time."
A Lucky Turn of Events
CAM4 is extremely lucky that a security firm found their exposed database rather than cybercriminals. Adult websites and applications handle highly sensitive user data with inappropriate videos or pictures.
Criminals often use data stolen from sites like CAM4 in blackmail and sextortion scams. Cybercriminals are still targeting victims of the Ashley Madison data breach from 2015.
What information was Compromised in the CAM4 Data Leak?
The 11 billion records in the CAM4 data leak included the following user information:
- First and last names
- Email addresses
- Password hashes
- Country of origin & sign-up dates
- Gender preference & sexual orientation
- Device information
- Usernames and chat logs
- Payment logs with card type and currency
- Transcripts of email correspondence
- Correspondence with other users and CAM4 support
- Token information
- IP addresses
- Fraud & spam logs
For a regular website, exposing this sort of data is scary. For highly sensitive data from a site like CAM4, it's terrifying beyond comprehension.
Teams found 11 million records containing email addresses, more than 26 with password hashes, and only 1,000 exposing user's full names with credit card types and payment information.
According to the country of origin logs, US, Brazilian, and Italian users were most affected, but it's difficult to determine the exact country breakdown as there were countless duplicate records.
It's important to note that these records weren't easy to read. Someone would have to spend time digging through the logs to match tokens with user profiles.
"You really have to dig into the logs to find tokens or anything that would connect you to the real person or anything that would reveal his or her identity... It should not have been exposed online, of course, but I would say it's not the scariest thing that I've seen." - Security consultant Bob Diachenko.
TeamPassword allows your information to stay private, try our free trial to see for yourself.
What was the Fallout from the CAM4 Data Leak?
Upon discovering the records, Safety Detectives immediately notified Granity Entertainment (CAM4's parent company), who took the database offline within 30 minutes.
According to Safety Detectives, internal access to the records was extremely limited, and there is no evidence to suggest that any CAM4 user data was leaked.
There wasn't much public outcry due to this breach, as adult content users typically like to remain anonymous. However, had criminals acquired this data, Granity Entertainment would have faced massive lawsuits and possible prosecution and fines under Europe's GDPR.
Potential Risk of Credential Stuffing Attacks
Aside from blackmail and sextortion scams, cybercriminals could have used the CAM4 user data in a credential stuffing attack.
Credential stuffing attacks occur when criminals use credentials from one breach to hack into another website or application. For convenience, people often use the same email address and password for multiple websites and applications.
The problem with this is that if hackers breach one of your accounts, they can access all the accounts using the same credentials, no matter how strong your password may be!
Cybercriminals unleash bots that crawl popular websites and applications trying your login credentials. If they find a match, then they have complete access to that account. Often these details are sold on the dark web, exposing you to various cybercrimes.
What Action did CAM4 Take in Response?
In addition to immediately removing the database from the internet, CAM4 has moved the server to an internal LAN making it difficult to access remotely. The company also removed personally identifiable information to protect its users.
How to Protect Yourself Against Data Leaks and Breaches
If a data breach occurs at a website or application where you have an account, there isn't much you can do to prevent criminals from stealing your data. But, you can take precautions to mitigate the fallout for yourself.
Never Provide More Data Than Required
One way to minimize your exposure is by providing only the personal information needed to run the features and services you need from an app or website. For example, if there is no reason to include your home address, don't include that information in your profile.
Use Virtual Cards for Payments
Use a separate virtual card for in-app payments. Many banks offer the option to generate virtual debit cards to use for online payments. With a virtual card, you can set payment limits to prevent criminals from emptying your account.
You can easily cancel a virtual card to continue using your account as usual. Canceling a regular debit or credit card will freeze your account until the bank can issue a new one. For some banks, this could take more than a week!
Use Different Credentials for Each Account
Always use a different password for every account! Using the same password for multiple accounts exposes you to credential stuffing and other cybersecurity issues.
Passwords should be a minimum of 12 characters with numbers, uppercase, lowercase, and special symbols. Using a password generator takes the guesswork out of choosing a secure password.
Secure Your Accounts with TeamPassword
A password manager like TeamPassword is the best investment any business can make to mitigate cyber threats. With TeamPassword, you can share login credentials without exposing raw password data.
TeamPassword is an accredited secure hosting provider providing users with a secure platform to host and share login credentials. Your sensitive information is hashed, salted, and encrypted locally on your computer and then transmitted to the server via an encrypted connection.
Built for Sharing
Every organization needs a way to share login details with team members, freelancers, and contractors. Many companies create spreadsheets with login credentials or send these via email or chat groups.
Anyone can copy and share these passwords, and it's near impossible to track where the breach originated.
With TeamPassword, you never share actual raw passwords. You can create groups and only share access with those who need it. TeamPassword comes with browser extensions for Chrome, Firefox, and Safari so your team can install the password manager on any device.
Create Secure Passwords With a Click
TeamPassword comes with a built-in password generator so you can create robust passwords with a single click. You can choose a combination of uppercase, lowercase, numbers, and symbols between 12 and 32 characters.
TeamPassword generates a new password instantly and updates the login credentials for all team members.
By creating unique passwords with TeamPassword, you never have to worry about falling victim to credential stuffing attacks in the unfortunate event of a data breach or leak.
Let TeamPassword manage your security while you focus on building your business. Sign up today for a free 14-day trial to explore TeamPassword's features.