Slashdot Mirror

← Back to Stories (view on slashdot.org)

Massive Porn Buyer Info Leak

Posted by ryuzaki0 on from the get-off-the-internet-this-is-a-sign dept.

Anonymous Guy wrote to mention a Wired article that covers the release of information for millions of customers onto the Internet. From the article: "The stolen data, examined by Wired News, includes names, phone numbers, addresses, e-mail addresses and internet IP addresses. Other fields in the compromised databases appear to be logins and passwords, credit-card types and purchase amounts, but credit-card numbers are not included. The breach has broad privacy implications for the victims. Until it was brought low by legal and financial difficulties, iBill was a top credit-card processor for adult entertainment websites."

16 of 251 comments (clear)

  1. That's what I don't get... by Anonymous Coward · · Score: 4, Informative

    What kind of moron buys porn? Hello? IT'S FREE ON TEH INTARWEBS, and especially on Usenet. There are people who literally get off on making and distributing porn of all varieties at no cost. They want you to watch.

    Unless your idea of hotness is overproduced Playboy-style photography with a combination of four different skin textures, three different lighting rigs, and sixteeen different gauze filters, you can get what you want on Usenet without risking your credit history.

  2. Re:Weakest Link by frostyboy · · Score: 4, Informative

    Dude, RTFA. They didn't get the credit card numbers. Only personal information like name, phone number, address, email. Not that that's not a big deal, but this isn't a CC number security issue.

    Of course, this isn't made clear until way at the end of the article: "Because the information didn't include Social Security, credit-card or driver's-license numbers, no U.S. laws require iBill or the companies for which they provided billing to warn victims."

    --
    Who is General Failure? And why is he reading my disk????
  3. Re:Weakest Link by Alex+P+Keaton+in+da · · Score: 5, Informative

    Um, anytime I buy something "questionable" or from a questionable source, I use a one time credit card number. I know MBNA has this. You set a dollar amount for the number, as well an expiry date. It is great for sites with auto renewing subscriptions. I use them all the time for 3 day 1.99 trials. I set the card limit at 2.50, use the number, and then forget about it. When they try and charge me, they get nothing but an expired card.
    My understanding is that most identity theft is still done the old fashion way- with garbage diving etc. When I was in college, I bartended. I could have easily written down every credit card number that was handed to me....
    But clearly this is more of a privacy issue. Even if nothing is stolen from me, I would prefer that my name not be associated with porn purchases. But then again, who am I kidding, everyone that meets me just assumes I am into porn. I guess it is my vibe.

    --
    And All I Ask is a Tall Ship And a Star to Steer Her By
  4. You forgot by WindBourne · · Score: 2, Informative

    grep -i "senator\|representative\|congress\|whitehouse" iBill.dat. There are sure to be plenty there.

    --
    I prefer the "u" in honour as it seems to be missing these days.
  5. This is also used by the Washington Post by kalidasa · · Score: 2, Informative

    I know, I had a little scuffle with them last week because I couldn't change my CC# on my Washington Post Online subscription. So not all the names are pr0n buyers.

  6. Re:different rules for porn watchers by Anonymous Coward · · Score: 2, Informative

    Uh... isn't Maxim basically soft porn?

    Maxim would be mild erotica. When the pussy makes it's appearance is where soft porn begins. Even then I would classify that as mild erotica.

  7. Heres the actual list.... by XMilkProject · · Score: 4, Informative

    You can actually download this 214mb list of information here:
    http://5sec.us/Ibill_1m.txt
    I don't know why you'd want it, maybe you can use the passwords or something. But there it is anyway.

    --
    Big ones, small ones, some as big as yer 'ead!
    Give 'em a twist, a flick o' the wrist...
    1. Re:Heres the actual list.... by Afty0r · · Score: 2, Informative

      It is a 214MB file on a fairly weak host. By posting the URL to Slashdot the parent has almost certainly gauranteed that FEWER people will get the file in coming days than if he had not acted as such.

      To link from Slashdot to a file nearly a quarter of a gig large is surely meant in jest? :)

  8. Everyone seems to be forgetting... by Psykosys · · Score: 5, Informative
    that an estimated 25% of the transactions weren't for porn. Unless the customer information is associated with the purchase information (it sounded to me like the account axx infomation was in separate, unlinked records), the leak has much fewer social implications than commenters here seem to be implying.

    Livejournal, for example, was offering payment through iBill during the time covered by the leak (run that link through Archive.org if you care to verify, /. filters the part following the asterisk).

  9. Well, that explains why I'm getting more spam... by sstamps · · Score: 2, Informative

    I was a subscriber to the MMORPG Horizons, which used to use iBill as their payment processor (they use iPay now; not much of a difference, really). I used new mail accounts I set up specifically for the game, and all of a sudden, about a month ago, I started getting tons of spam on them.

    I figured my email addresses had been sold by one of those sleazebag payment processors. Turns out they aren't evil, they're just STUPID.

    --
    -SS "Teach the ignorant, care for the dumb, and punish the stupid."
  10. Re:Oh crap... by BenEnglishAtHome · · Score: 4, Informative

    They didn't do credit card processing for midget-granny-and-horse-porn.com did they?

    No, but they did do credit card processing for sites featuring under-18 models doing "non-nude" work. Within the past couple of weeks, a group of those sites got busted and the FBI has announced intentions to prosecute them for selling child porn even though the models were clothed. (It seems the clothes were too small and/or the poses too racy.) Note that I don't know if any of the recently busted sites were using iBill and the point may already be moot since iBill has been defunct or close to it for a while.

    However, according to TFA

    The stolen data, examined by Wired News, includes names, phone numbers, addresses, e-mail addresses and internet IP addresses. Other fields in the compromised databases appear to be logins and passwords, credit-card types and purchase amounts, but credit-card numbers are not included.

    I have to figure if logins and passwords are there, then the websites accessible via those logins might also be in the data. If so, I imagine that at this moment a whole bunch of guys are pretty worried.

  11. Re:The IP information is invaluable by daverabbitz · · Score: 2, Informative

    That's all very well and good, until you remember that most people still have dynamic IP addresses, even on cable/dsl.

    --
    What could be better than a jet powered motorcycle? http://www.youtube.com/watch?v=u8l6GTHLSWE
  12. Darn that name by phorm · · Score: 2, Informative

    As an admin at my previous job, I often searched SF.net and freshmeat for open-source/free solutions. At one point, our ISP's caching filter decided to regularly boink the freshmeat site, which resulted in the site autobanning one of the upstream routers.

    It was a really fun thing trying to explain to the ISP person why they should put in an caching exemption for a site called "freshmeat", and what the actual content of said site was.

  13. Re:Weakest Link by monkeydo · · Score: 2, Informative

    In the US, the merchant and the issuer incur all of the liability for stolen card numbers. As long as the card holder reports unauthorized charges to the issuer within a reasonable time of becoming aware of it, his liability is zero. Credit card fraud costs the issuers abotu $10 Billion annually. Sure, they'd like to reduce that number, but they know that ever dollar of fraud they prevent costs them $/x. When they reach a point of diminishing returns, there will still be some fraud.

    --
    Si vis pacem, para bellum
    The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
  14. iBill leak is a fake. by MacDork · · Score: 2, Informative
    According to this Wired article, the iBill data is fake:
    But Spaniak says iBill cross referenced the 17 million transaction database against its own on Wednesday, and that only three e-mail addresses matched between the two.

    and

    Wired News found that entries from the smaller cache of one million consumers are listed as mortgage leads on a spammer community site, specialham.com. A Google search turns up scores of offers on specialham.com for purported iBill databases, one of them advertising "20mill ibill list w/Full data from 2003" for $300. But in one message, a spammer slams an underground vendor for selling him a fake iBill list.
  15. Re:Oh crap... by Anonymous Coward · · Score: 1, Informative

    Here's some relief for those people. Wired have another article up which suggests the database has nothing to do with iBill and that it's just someone renaming it to make the data seem more valuable.

    It does strike me as odd though if it has records dating back to 1998, I wouldn't think spammers and scammers would have a database dating that far back. And of course iBill could just be lying to save face...