The email addresses and account passwords of up to 3 million subscribers to a pornographic website have accessible online since 2007 due to a web design error.
Information going back five years on YouPorn Chat’s users was freely available until the site was taken offline yesterday. The error was first made public on a Swedish discussion forum, Flashback.org.
In a post describing the blunder, Anders Nilsson, CTO of Swedish security firm Eurosecure, said that it was "baffling how coders working on a website with such sensitive content can make mistakes of this magnitude.
"[The data] was found…by someone sweeping websites for publicly accessible, but non-linked folders, looking for either porn or sensitive material like this."
Nilsson posted an analysis of the YouPorn Chat passwords to the text-sharing portal Pastebin, revealing the usual poor password choices. ‘123456’ was the most popular choice, in use by 72,915 YouPorn customers – 2.4% of the 3 million total.
In a blog post (safe for work) responding to the leak, YouPorn’s vice president of operations, Brad Black, emphasised that the compromised YouPorn chat accounts were not necessarily connected to YouPorn.com, as the chat site is run by a third party.
"Poor security practices resulted in YP Chat’s unencrypted daily user logs being left in an unsecured public directory," Black wrote, adding a claim that the number of affected users numbered in the thousands, not millions – in conflict with Nilsson’s analysis. "As the logs maintained daily records, users that accessed their YP Chat accounts on a recurring basis would have their activity appear in countless log files."
Eurosecure’s website appears to be offline, possibly due to traffic being driven to Nilsson’s post. The Swedish company was unreachable by telephone, as the office is currently closed for lunch.