A popular hentai porn site that promises anonymity to its 1.1 million users left a user database exposed without a password, allowing anyone to identify users by their email addresses.
You might not have heard of Luscious.net unless you’re into hentai and manga porn but it’s one of the most popular websites in the U.S., ranking in the top 5,000 sites in traffic, per Alexa data.
Security researchers discovered the security lapse and provided exclusively to US Magazino details of the exposed database.
But our efforts to reach the site owner over the past week to get the database secured were unsuccessful. We emailed the owner — whose email address was found in the very first user record — to disclose the security lapse, but we did not hear back after several follow-ups. We sent the owner a note through the site’s contact form, through Facebook Messenger and over a LinkedIn contact request, and we sent several text messages based off the site’s historical registration data.
We passed on a message to the site’s web host, which took action to block access to the database, allowing us to publish.
Only after we published, the site’s owner responded to our emails and confirmed the security lapse. “We will be reaching out to any compromised users to warn them about the potential exposure of their private email addresses,” said the site owner.
The database contained what appeared to be the site’s entire back-end database, including more than 235,000 albums, 30,000 user blog posts and 900 videos. The data also contained details of the site’s 19.7 million photos.
The exposed data also included records that connected all of a user’s activity on the site, including their username, blog posts, followers and locations. Those records also contained users’ non-public email addresses. We found that although some accounts signed up with a fake email address, our testing showed that many of the emails were real, allowing us to identify real-world individuals who used the site.
There were no passwords in the database, however.
TechCrunch verified the exposed data by creating an account on the site and searching for the username we had just created in the database. It appeared near-instantly, indicating the database was live updating and was not a static backup file.
The database was exposed since at least August 4, according to data from Shodan, a search engine for exposed devices and databases.
It’s the latest example of exposed or leaking data — where companies fail to protect their users’ data by protecting their databases with a password or basic security mechanisms. In recent months we’ve seen a cryptocurrency loan site expose credit cards, thousands of exposed medical injury claim reports and a security hentai porn site lapse at dating app JCrush.
Updated with response from site owner.
Unveiling the Security Lapse: Protecting User Privacy in the Digital Realm
In a recent revelation, a popular hentai porn site, Luscious.net, came under scrutiny as security researchers discovered a significant security lapse that exposed the privacy of its 1.1 million users. This breach, which occurred over an extended period, raised concerns about the safety of user data and the need for robust security measures in online platforms.
The Exposure: An Overview
Luscious.net, despite catering to a niche audience, holds a substantial user base, ranking among the top 5,000 sites in the U.S. based on Alexa data. The uncovered security lapse left the site’s user database accessible without a password, laying bare the email addresses of its users. This lapse allowed anyone with the right knowledge to identify users, posing a severe threat to their privacy.
Discovery and Communication Efforts
Security researchers, committed to safeguarding user data, uncovered the vulnerability and promptly shared the details exclusively with TechCrunch. However, attempts to contact the site owner to rectify the issue were met with silence. Various communication channels, including email, site contact form, Facebook Messenger, LinkedIn, and text messages, were employed to no avail.
Only after TechCrunch took action to block access to the exposed database did the site owner respond, acknowledging the security lapse. The owner committed to reaching out to compromised users to alert them about the potential exposure of their private email addresses.
The Extent of the Data Exposure
The exposed database contained a comprehensive set of information, encompassing over 235,000 albums, 30,000 user blog posts, 900 videos, and a staggering 19.7 million photos. Notably, the records linked all user activities, including usernames, blog posts, followers, and locations. While the absence of passwords in the database mitigates some risks, the inclusion of users’ non-public email addresses poses a substantial threat to user privacy.
Duration of Exposure
Disturbingly, the database remained exposed for an extended period, with data from Shodan indicating vulnerability since at least August 4. This highlights a significant failure in safeguarding user data, underscoring the importance of constant vigilance in the digital landscape.
The Broader Context
This incident is not isolated but part of a growing trend where companies neglect to implement basic security mechanisms, leading to the exposure of sensitive user data. Recent instances include a cryptocurrency loan site exposing credit cards, thousands of exposed medical injury claim reports, and a security lapse at the dating app JCrush.
Conclusion: Upholding User Trust in the Digital Era
The Luscious.net security lapse serves as a stark reminder of the critical need for robust cybersecurity measures. As users entrust their data to online platforms, it is the responsibility of site owners to prioritize and invest in the security infrastructure that safeguards user privacy. The digital realm demands constant vigilance, and incidents like these underscore the urgency for a collective commitment to upholding user trust.