Porn site breached in hack attack

[potter]

Quote:

Hackers claim to have stolen the details of more than 73,000 subscribers to porn site Digital Playground.

The data includes user names, email addresses and passwords. Also taken were the numbers, expiry dates and security codes for 40,000 credit cards.

The attack is the second successful breach of a site run by website management company Manwin.

A previously unknown hacker group called The Consortium said it was behind the attack.
'Tempting target'

While Manwin investigates, the Digital Playground site has been left online but is not accepting new members and its members area has been taken offline.

The Consortium posted some of the data it stole on the web and said security on the site was full of holes that "made it too enticing to resist" stealing the data.

"This company has security, that if we didn't know it was a real business, we would have thought to be a joke - a joke that we found much more amusing than they will," wrote The Consortium in a log posted on the web.

Visible in the log were admin login names and passwords as well as a selection of the email addresses and user names of some members. Internal emails, details of the four servers underpinning the site and software licence keys were also posted.

The Consortium claims some of the credit card data was stored in plain text form. The group claims to be connected to the Anonymous and Lulzsec hacker groups.

Porn producer Digital Playground is based in California but its website is managed and run by Canadian firm Manwin. The London office of the company declined to comment on the attack.

In a statement provided to porn industry news site AVN, Manwin said it took over management of the site on 1 March and said the breach may have occurred before it took charge.

Manwin management was overseeing the investigation and Digital Playground subscribers had been contacted to let them know what had happened.

In late February, details of more than 6,000 users of YouPorn's discussion forums, known as YP Chat, were stolen. YP Chat is also administered by Manwin. Lax security at a third-party provider was blamed for the breach.

http://www.bbc.co.uk/news/technology-17339508

[Roald]

wow again!!!

[Wilsy]

Quote:

Originally Posted by Roald

wow again!!!

Twice in one month sucks

[OverdueNudes]

Some people just don't learn the first time!!

[jigg]

"The Consortium claims some of the credit card data was stored in plain text form"

really? in 2012?

Idiots

[Barry-xlovecam]

https://gfy.com/showthread.php?t=1060217

Time warp ....

[porno jew]

think someone hacked the internet timeline instead.

[scouser]

wasnt this a few days ago? or is this a new one?

[directfiesta]

Quote:

Originally Posted by jigg

"The Consortium claims some of the credit card data was stored in plain text form"

really? in 2012?

Idiots

That contrevenes the bank merchant account terms

[DWB]

Great Scott!

[Fat Panda]

Please report all crimes to the FBI or http://www.ic3.gov/default.aspx

[lucas131]

Quote:

Originally Posted by SAC

Please report all crimes to the FBI or http://www.ic3.gov/default.aspx

nice site, is it yours? wanna trade hardlinks?

[Rothstein]

more like manlose

[raymor]

Quote:

Originally Posted by jigg

"The Consortium claims some of the credit card data was stored in plain text form"

really? in 2012?

Idiots

A free tip for them and anyone with a similar system where the web server needs access to the same database that holds billing information:

Use federated tables. Tables with sensitive data like card numbers are on an intranet machine, behind the firewall. Card numbers etc. can be encrypted with Twofish or AES. That intranet server then federates the user table from the web server, so the public web server only has access to the data it needs.

Which tables go on the protected intranet machine and which on the public web server? The web server should hold only the tables it needs to do it's job. Any data that doesn't HAVE to be on the web server isn't placed there.

Similarly for internal email - run your internal IMAP from the intranet, preferably with each essential service on a VM which has one way access control so it can make only outgoing connections if at all possible, and only to those internet servers it needs to access.

The theme here is clear separation between public data (web pages) and secured data. The same concept makes transparent tours less secure, despite their convenience.

[bean-aid]

Whenever this happened everyone should be aware that storing credit cards in plain text is a *huge* violation of every credit card company.

It is stored in an encrypted vault usually by your gateway to your biller.