Bob Diachenko, Head of Security Research at Comparitech, posted his findings on LinkedIn on November 16th. Diachenko said that the database consists of approximately 200 million records. At this time, it is unclear if any malicious actors accessed the database before it was secured.
Details about Stripchat and the Data Leak
Stripchat is an adult website that features live webcam performances, usually involving nudity or sexual activity. The website saw a massive uptick in traffic after the beginning of the COVID-19 pandemic and subsequent lockdowns. In fact, the site added over 900 million new users and 300,000 new models in 2020 alone. Diachenko stated that he discovered the database on November 5th and alerted Stripchat on the very same day. He added that the database was secured on November 7th. The database contained 200 million records in total and was accessible without a password or any other authentication. The leak contains the following information about users and models:
email addresses IP addresses timestamps marking when accounts were created timestamps of last activity usernames blocked status tips given to models
Diachenko stated that Comparitech’s usual practice involves alerting the affected party of the cyber incident. This allows them to carry out their investigation and take all necessary actions, including informing affected users. However, Stripchat has not responded to or acknowledged Comparitech’s attempts to communicate so far.
Dangers of Exposed Stripchat User and Model Data
According to Diachenko, the data leak could lead to a digital and physical threat to the site’s users and models. In particular, he voiced his concerns about IP addresses being part of the leak, as this could enable nefarious persons to “find and stalk, harass, or even assault someone in the database.” He added that the other personally-identifying information could lead to extortion, bullying, or humiliating victims for their private online activities. He also warned victims to watch out for targeted phishing emails and urged them to “never click on links or attachments in unsolicited emails.” Diachenko also said that the privacy risk for the victims increases if the leaked information is cross-referenced with other breaches. This would allow criminals to draw a full profile of a victim. “Sites like Stripchat should have stronger security practices and at least employ incident response protocols when receiving alerts like this from the security community,” Diachenko added.