A cybersecurity research team led by Noam Rotem and Ran Locar found a leaksource on PussyCash’s Amazon storage server in Virginia containing 19.95GB of visible data. As a membership network, PussyCash also owns adult website brands such as ImLive. However, this data breach, which has exposed more than 4,000 sets of personal data and similarities in more than 875,000 files, demonstrates its high-risk relevance.
PussyCash is known to host a membership program for several adult websites, paying site administrators for the traffic sent to the site through banner ads.
On ImLive, the web chat platform alone, it has 66 million registered members, not to mention dozens of other websites. Known by PussyCash’s website, its partners include BeNaughty, Xtube, Pornhub, and more.
Sometimes, data breaches can easily be found and blocked, but exceptions are not common. In more cases, it takes several days of investigation to understand the potential risks and to notify the victims.
At first, the researchers determined that only a few records in the ImLive bucket had been compromised. But in the end, it found that PussyCam was the owner of the leaked data on Amazon’s S3 storage server.
Discovery event: January 3, 2020;
Notify PussyCash and ImLive: January 4, 2020;
Amazon Records: January 7, 2020;
ImLive Response: January 7, 2020;
Take action: January 9, 2020.
Unfortunately, PussyCash has never responded to any contact attempt for this data breach. The good news is that ImLive eventually returned an email stating that they would handle it properly and pass the information on to the PussyCash technical team.
At least 875,000 different types of file leaks are known, including videos, marketing materials, photos, video chat clips, screenshots, and zip files. Old files are 15 to 20 years old, and the latest dates back to recent weeks.
To make matters worse, the leaked data also included full passport and national identity cards photos and scanned copies, including visible full name, birth date, place of birth, citizenship, place of origin, passport / ID number, passport issue date / validity date, registered sex, document photo, personal signature, full parent’s full name, fingerprint and other sensitive information.
Experts point out that if PussyCash had taken some basic safeguards, the S3 storage server breach would not have occurred easily. It recommends that enterprises impose appropriate access rules on servers, and that users should not easily submit excessive authentication information to Internet systems for use.