When personal information is exposed it is always bad, but when adult sites expose thousands of people personal information such as ID, nationality, home address, parents name, personal signature and even fingerprints (!), then that could lead to very bad things indeed. This is what was found on a S3 amazon bucket by the vpnMentor cybersecurity research team.
This leak has exposed the personal data and likeness of over 4,000 models among more than 875,000 files and has high-risk, real life implications for said models. Some are are old, others within the last weeks and the content is more than enough to steal someone's identity for identity theft.
There are at least 875,000 keys, which represent different file types, including videos, marketing materials, photographs, clips and screenshots of video chats, and zip files. Within each zip folder – and there is apparently one zip folder per model – there are often multiple additional files (e.g. photographs and scans of documents), and many additional items that we chose not to investigate.
Photographs and scans of full passports and national identification cards, including visible:
- Full name
- Birth date
- Citizenship status
- Passport/ID number
- Passport issue & expiration dates
- Nationally registered gender
- ID photo
- Personal signature
- Parent’s full names
- Additional country-specific details (e.g. emergency contact information for UK citizens)
The more severe implications however is that exposing information that can identify these models in detail is that it can lead to harassment or even life threatening situations. Among the exposed models are LGBTQ people and with around 70 countries still consider this a criminal offense it could lead to prison sentences or even murder.
It took the company several days to respond to the communication from vpnMentor and the response is not exactly what I would expect from a company that just illegally exposed information on thousands of people in their employment.
Date discovered: January 3, 2020
Date company notified: January 4, 2020
Data Amazon notified: January 7, 2020
Date of reply from Company: January 7, 2020
Date of action: January 9, 2020
I sincerely hope that none of the people that had their information exposed come to any harm, emotionally or otherwise. I also hope that legal actions are taken towards this company for their negligence. Finally I hope this company hire someone to help them secure this kind of information so the people they employ can have their private data secured.