LOS ANGELES — A recent report declaring that “millions” of live cam fans and models have had their personal data exposed is being countered by the company involved.
Claiming “a network of ‘camgirl’ sites exposed millions of users and sex workers,” TechCrunch’s Zack Whittaker reported that an unencrypted database was found to contain months of “daily logs of the site activities [and] left without a password for weeks.”
The security breach is said to have taken place between May 24 and September 4.
The cam network, Barcelona-based VTS Media, serves its global audience through several popular live chat sites, including Amateur.tv, WebcamPornoxxx.net and PlacerCams.com.
Besides user data, some account and personal information about the network’s cam performers was also reportedly revealed, creating concerns for cammers and their fans alike over issues of security and social stigma.
“Those logs included detailed records of when users logged in — including [their] usernames and sometimes their user-agents and IP addresses, which can be used to identify users. The logs also included users’ private chat messages with other users, as well as promotional emails they were receiving from the various sites,” Whittaker said. “The logs even included failed login attempts, storing usernames and passwords in plaintext.”
Cybersecurity firm Condition:Black was credited with exposing the open database, which has since been locked.
“This was a serious failure from a technical and compliance perspective,” said Condition:Black’s John Wethington. “After reviewing the sites’ data privacy policy and terms and conditions, it’s clear that users likely had no idea that their activities being monitored to this level of detail.”
“Users should always take into consideration the implications of their data leaking but especially where the implications could be life altering,” Wethington added.
While data leaks are nothing new, and little seems to come from them, Whittaker noted that VTS Media and its European-based servers are subject to the GDPR — a strict law where sexual preferences are a “special category” of data requiring more stringent protections, with violations incurring fines of up to four percent of the company’s annual gross income.
XBIZ and industry stakeholders have warned website owners about the General Data Protection Regulation and the near-impossibility of compliance; the need to make a good-faith effort; and the stiff penalties for not doing so. Indeed, last year’s XBIZ Show and FSC Leadership Conference hosted a special session detailing the complexities and seriousness of the GDPR requirements.
VTS Media issued a statement clarifying the situation and asserting its compliance with the GDPR. The company thanked Condition:Black for the warning and vowed to work with the Spanish Data Protection Agency to resolve the issue.
Among the statement’s revelations is a counter to the claim of “millions of users” being exposed with a more manageable number of “about 330,000 users.”
“[All] of the data stored in our main database is encrypted and unreachable. There are no payment, billing, card or password data compromised. Card payments are processed by an external provider specialized in handling this type of sensitive data,” a company representative stated. “Users’ passwords have not been compromised and are not kept as plain text; therefore, they do not need to be changed by the users.”
The rep explained that the data that has been exposed consists of technical logs, which are automatically erased after six months, and “exclusively used for technical reviews, quality controls and to solve our users’ requests.”
“For these users, the only potentially exposed data are their email and IP address, not the password. Even though this data has been exposed, it does not mean that it has reached anyone else’s hands, because as of today we are not aware that anybody, except the security company that discovered the breach, has accessed these data,” the rep revealed, underscoring that no passwords appeared in plain text in the logs. “What has been reported as a leak of private passwords actually consists of failed attempts to access the site and these have always been encrypted, thus never appearing in plain text.”
The company had to temporarily use additional servers to store its support logs “due to a global technical issue,” and revealed that human error resulted in incorrect firewall policies being implemented on these servers.
The rep also noted that less than one-half of one percent of the network’s models had any data exposed and that these models would be contacted by the company.
“As far as we are aware,” the rep concluded, “no one aside from those who discovered the breach had access to the data nor [have] those technical logs been downloaded or published on the internet.”
Those who have concerns over their potential exposure can email privacy@vtsmedia.com for more information.