In an all too common incident, another elastic search engine has ended up exposing all the users' email addresses from an adult content website, luscious.net.
The leak was discovered on January 26 when the CTRLBOX Open Data Monitor detected an elastic search containing more than 40 million rows of data that included some email addresses and usernames. The exposure had been flagged back in late 2018, but due to a backlog, we first got to it now. Somewhat surprisingly - and disturbingly - the data were still online without any authentication.
Luscious.net's About page states that the site is still in BETA. Users are encouraged to submit content to help build a community so they can better focus on what users want. This, however, seems to leave the site open to some very disturbing posts related to sexual activities.
The leaky data on the elastic search contained 9 indices (databases) one of which was called userprofile. As you might expect, the userprofile index contains information related to the users' profiles, including email addresses with usernames and userids, favorites, and other statistical information. Another index named activity_feed contains posts with titles, post body, username and userid. Total count of user profiles was just over 130,000.
When you can readily match a username to an email address and also to adult content, you have the potential for a seriously embarrassing breach, as we have seen in the past when criminals have used stolen credentials, email addresses and names to attempt to extort or harass users.
Luscious.net was contacted via their website form as soon as ownership was attributed to them. The admin from luscious.net replied and secured the elastic instance within 24 hours of being notified about the issue, which is a relatively rapid response compared to many other sites we have contacted.
One takeaway lesson for consumers is that if you want to join adult content websites and communities, be sure to do so without using a regular email address that can be easily linked back to you.