A number of popular “camgirl” sites have exposed millions of sex workers and users after the company running the sites left the back-end database unprotected.
The sites, run by Barcelona-based VTS Media, include amateur.tv
, webcampornoxxx.net
, and placercams.com
. Most of the sites’ users are based in Spain and Europe, but we found evidence of users across the world, including the United States.
According to Alexa traffic rankings, amateur.tv
is one of the most popular in Spain.
The database, containing months-worth of daily logs of the site activities, was left without a password for weeks. Those logs included detailed records of when users logged in — including usernames and sometimes their user-agents and IP addresses, which can be used to identify users. The logs also included users’ private chat messages with other users, as well as promotional emails they were receiving from the various sites. The logs even included failed login attempts, storing usernames and passwords in plaintext. We did not test the credentials as doing so would be unlawful.
The exposed data also revealed which videos users were watching and renting, exposing kinks and private sexual preferences.
In all, the logs were detailed enough to see which users were logging in, from where, and often their email addresses or other identifiable information — which in some cases we could match to real-world identities.
Not only were users affected, the “camgirls” — who broadcast sexual content to viewers — also had some of their account information exposed.
The database was shut off last week, allowing us to publish our findings.
Researchers at Condition:Black, a cybersecurity and internet freedom firm, discovered the exposed database.
“This was a serious failure from a technical and compliance perspective,” said John Wethington, founder of Condition:Black. “After reviewing the sites’ data privacy policy and terms and conditions, it’s clear that users likely had no idea that their activities being monitored to this level of detail.”
“Users should always take into consideration the implications of their data leaking but especially where the implications could be life altering,” he said.
Data exposures — where companies inadvertently leave their own systems open for anyone to access — have become increasingly common in recent years. Dating sites are among those with some of the most sensitive data. Earlier this year, a group dating site 3Fun exposed over a million users’ data, allowing researchers to view users’ real-time locations without permission. These security lapses can be extremely damaging to their users, exposing private sexual encounters and preferences known only to the users themselves. The fallout following the 2016 hack of affair-focused site Ashley Madison resulted in families breaking up and several reports of suicides connected to the breach.
An email to VTS Media bounced over the weekend and could not be reached for comment.
Given both the company and its servers are located in Europe, the exposure of sexual preferences would fall under the “special categories” of GDPR rules, which require more protections. Companies can be fined up to 4% of their annual turnover for GDPR violations.
A spokesperson for the Spanish data protection authority (AEPD) did not respond to a request for comment outside business hours.
Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.