Slashdot Mirror

← Back to Stories (view on slashdot.org)

Massive Porn Buyer Info Leak

Posted by ryuzaki0 on from the get-off-the-internet-this-is-a-sign dept.

Anonymous Guy wrote to mention a Wired article that covers the release of information for millions of customers onto the Internet. From the article: "The stolen data, examined by Wired News, includes names, phone numbers, addresses, e-mail addresses and internet IP addresses. Other fields in the compromised databases appear to be logins and passwords, credit-card types and purchase amounts, but credit-card numbers are not included. The breach has broad privacy implications for the victims. Until it was brought low by legal and financial difficulties, iBill was a top credit-card processor for adult entertainment websites."

60 of 251 comments (clear)

  1. Weakest Link by nmccart · · Score: 4, Interesting

    It's not surprising someone other than MasterCard actually had a list of card numbers stolen. I have customers all the time tell me how they don't like what they feel are draconian measures to protect the credit card numbers people have in their own systems. What they fail to understand is that Visa and Mastercard require us to do this, and the protections we have are customer service.

    But they still complain, because their customers and they themselves don't ever notice. Hell at one point I was told by a demanding customer to remove the protections because he said "I'll risk it." I was tempted to show him how insecure he was by remotely accessing his system, getting his list of customer phone numbers, and telling all his customers that he was careless with credit card numbers and their numbers could have easily been stolen from his system.

    People are pretty careless about credit card security. It's usually in the name of convenience and visible customer service. Credit card security is invisible service. Being able to purchase something conveniently flies right in the face of having security which just might prevent you from selling something to someone, so some people don't care, as long as they are selling. Owners care once they find out that they'll be issued chargebacks, but individual salesreps will write down every credit card number on a piece of paper if it means making money for them personally.

    Visa and Mastercard have the right idea, and in the press release I like how they said that they gave cardsystems a "limited amount of time" to basically get their act together so this doesn't happen again. Education and enforcement of regulations... nice to see an organization, especially one that is a corporation, actually give a damn.

    --
    Funny sigs make your Karma go down.
    1. Re:Weakest Link by frostyboy · · Score: 4, Informative

      Dude, RTFA. They didn't get the credit card numbers. Only personal information like name, phone number, address, email. Not that that's not a big deal, but this isn't a CC number security issue.

      Of course, this isn't made clear until way at the end of the article: "Because the information didn't include Social Security, credit-card or driver's-license numbers, no U.S. laws require iBill or the companies for which they provided billing to warn victims."

      --
      Who is General Failure? And why is he reading my disk????
    2. Re:Weakest Link by Alex+P+Keaton+in+da · · Score: 5, Informative

      Um, anytime I buy something "questionable" or from a questionable source, I use a one time credit card number. I know MBNA has this. You set a dollar amount for the number, as well an expiry date. It is great for sites with auto renewing subscriptions. I use them all the time for 3 day 1.99 trials. I set the card limit at 2.50, use the number, and then forget about it. When they try and charge me, they get nothing but an expired card.
      My understanding is that most identity theft is still done the old fashion way- with garbage diving etc. When I was in college, I bartended. I could have easily written down every credit card number that was handed to me....
      But clearly this is more of a privacy issue. Even if nothing is stolen from me, I would prefer that my name not be associated with porn purchases. But then again, who am I kidding, everyone that meets me just assumes I am into porn. I guess it is my vibe.

      --
      And All I Ask is a Tall Ship And a Star to Steer Her By
    3. Re:Weakest Link by plover · · Score: 3, Interesting
      There was something else of interest in TFA. Wired posted the address of a "spammer community site," specialham.com.

      That plus a few curious slashdotters will probably slow their spam chatter for a few days.

      --
      John
    4. Re:Weakest Link by wkk2 · · Score: 3, Insightful

      The theft of card data won't stop until both the merchants and card issuers incur sufficient liability to wake up and make changes. 1. It should be illegal for merchants to store card numbers after an approval code is received. Buyers should be required to resubmit their card number for new transactions and refunds. It's not that big of an inconvenience to reenter numbers. 2. Reoccurring transactions should be process by submitting the card number to the merchant. The merchant should in turn apply for a reoccurring number that is only valid between that merchant and the card-clearing house. They should be charged a higher fee for the liability of saving that custom number. This number would be worthless to the thieves. 3. The addition of a one time password (federated OATH type token) would also go a long way to solving these problems especially for card not present transactions.

    5. Re:Weakest Link by ObsessiveMathsFreak · · Score: 2, Interesting

      Um, anytime I buy something "questionable" or from a questionable source, I use a one time credit card number. I know MBNA has this. You set a dollar amount for the number, as well an expiry date.

      Some credit companies have even released the equivilent of a mobile phone top up card for credit cards. You purchace credit, which has a built in expiry date, and simply purchace online before it runs out. The card is reusable.

      They are designed primarily for online purchaces, but personally I feel this method will eclipse regular credit cards amoung the general population. It has certainly made me consider it, and am paticularly credit card averse.

      --
      May the Maths Be with you!
    6. Re:Weakest Link by dusik · · Score: 5, Funny

      >> "But then again, who am I kidding, everyone that meets me just assumes I am into porn. I guess it is my vibe."

      It's because you say things like "I use them all the time for 3 day 1.99 trials". ;-)

    7. Re:Weakest Link by monkeydo · · Score: 2, Informative

      In the US, the merchant and the issuer incur all of the liability for stolen card numbers. As long as the card holder reports unauthorized charges to the issuer within a reasonable time of becoming aware of it, his liability is zero. Credit card fraud costs the issuers abotu $10 Billion annually. Sure, they'd like to reduce that number, but they know that ever dollar of fraud they prevent costs them $/x. When they reach a point of diminishing returns, there will still be some fraud.

      --
      Si vis pacem, para bellum
      The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
  2. Quite Humorous by eldavojohn · · Score: 4, Interesting
    From the frontpage of iBill, they have their most recent news as:
    Internet Billing Company, LLC (iBill) announced that the relocation of their corporate headquarters to more cost-efficient facilities has been completed.
    Even after looking around, I can't determine where this move was to. Their contact info on the site lists Deerfield Beach, Florida as their location. Is it possible they moved all their transaction servers to a different country to avoid possible legal implications?

    If you care to read more about iBill, you can check out their blog on G Spot. I didn't link the blog because it's not about the company; it's about trading buyers across all of its customer sites.

    I wonder if this is a case of the company selling anything they could to escape dire financial straights or if it is the case of a disgruntled underpaid employee indulging.

    Am I surprised such a shady company had its user's credit card info traded on the black market? Gosh, not really.
    --
    My work here is dung.
    1. Re:Quite Humorous by SleepyHappyDoc · · Score: 4, Funny

      "More cost-efficient facilities"? Did they just skip all the steps and set up their headquarters in a federal prison?

      --
      Stasis is death. Embrace change.
  3. Time for an Open Porn Movement by RedHatLinux · · Score: 4, Funny

    After all, free, as in beer, porn, means never have to worry having identity stolen or saying sorry to wife.

    Plus, given the bottoming out production costs, we can easily produce porn of the same quality as closed source porn.

    1. Re:Time for an Open Porn Movement by mano_k · · Score: 2, Funny

      That would be a gangbang with a massive male majority ...
      Argh! Need mental erasor!!!!

  4. "Interesting" headline. by XorNand · · Score: 4, Interesting

    "Massive Porn Buyer Info Leak?" What the hell does that even mean? Hats off to Zonk for managing to use "porn", "leak", and "massive" all in the same headline and posting it to one of the most widely read sites on the net. That sound you hear is thousands of RSS feed subscribers all scratching their heads.

    --
    Entrepreneur : (noun), French for "unemployed"
    1. Re:"Interesting" headline. by dr_dank · · Score: 3, Funny

      That sound you hear is thousands of RSS feed subscribers all scratching their heads.

      Is that what furious masturbation sounds like?

      --
      Where does the school board find them and why do they keep sending them to ME?
  5. In other news... by Shadow+Wrought · · Score: 4, Funny

    A sudden surge in the filing of divorces is plaguing thousands of local communities...

    --
    If brevity is the soul of wit, then how does one explain Twitter?
  6. Oh crap... by eln · · Score: 5, Funny

    They didn't do credit card processing for midget-granny-and-horse-porn.com did they?

    I mean, not that it would matter to me if they did...I'm just curious.

    1. Re:Oh crap... by BenEnglishAtHome · · Score: 4, Informative

      They didn't do credit card processing for midget-granny-and-horse-porn.com did they?

      No, but they did do credit card processing for sites featuring under-18 models doing "non-nude" work. Within the past couple of weeks, a group of those sites got busted and the FBI has announced intentions to prosecute them for selling child porn even though the models were clothed. (It seems the clothes were too small and/or the poses too racy.) Note that I don't know if any of the recently busted sites were using iBill and the point may already be moot since iBill has been defunct or close to it for a while.

      However, according to TFA

      The stolen data, examined by Wired News, includes names, phone numbers, addresses, e-mail addresses and internet IP addresses. Other fields in the compromised databases appear to be logins and passwords, credit-card types and purchase amounts, but credit-card numbers are not included.

      I have to figure if logins and passwords are there, then the websites accessible via those logins might also be in the data. If so, I imagine that at this moment a whole bunch of guys are pretty worried.

  7. No Baby! I swear it wasn't me! by darth_MALL · · Score: 5, Funny

    It was the other Chester J. Winthrop-Montague III!

  8. Whew, that was too close by LunaticTippy · · Score: 5, Funny
    I'm sure glad I've never paid for internet porn.

    Now if they leak the hardon pill database I'm screwed...

    --
    Man, you really need that seminar!
  9. Internet IP addresses? by Anonymous Coward · · Score: 4, Funny

    Internet IP addresses?
    Well, as long as they didn't get their PIN numbers.

  10. Wait a second... by ENIGMAwastaken · · Score: 5, Funny

    You can BUY porn? News to me.

  11. This Could Be Quite Damaging! by Anonymous Coward · · Score: 3, Funny

    CUSTOMER
    --------
    Bill O'Reilly
    bill@billoreilly.com

    WEBSITES
    --------
    falafelpron.com
    hotfalafels.com
    teenfalafel.com

    1. Re:This Could Be Quite Damaging! by The+Warlock · · Score: 2, Insightful

      Both condemn it. Stop kidding yourself; 99% of all politicians are filthy corrupt bastards who want nothing more than to screw you over. The other 1% get shot.

      --
      I've upped my standards, so up yours.
  12. Well thank God I never pay for porn... by R2.0 · · Score: 5, Funny

    Wait...did I just type that out loud?

    --
    "As God is my witness, I thought turkeys could fly." A. Carlson
  13. If... by Anonymous Coward · · Score: 3, Interesting

    If we used a decentralized, anonymous digital cash system, these kinds of problems would be much less common. Furthermore, the responsibility would lie in your own hands rather than in the hands of thousands of unidentifiable people at some corporation.

    I suppose it's wishful thinking, though, because everybody wants to be the central financial gateway (Visa, Mastercard, Paypal, etc.) and governments prefer being able to track all transactions (toll booth transponders, bankers reporting all transactions over $10,000, etc.).

  14. Where do I buy? by RobertB-DC · · Score: 4, Funny

    In January of last year, iBill was purchased by Interactive Brand Development for $23.5 million. On Monday, IBD's stock closed at 8 cents a share in over-the-counter trading.

    8 cents a share? Nowhere to go but up! Time to call my broker*.

    At the very least, their certificate will look good on the wall, next to the one from Enron. Maybe really good -- or really bad -- depending on which of their subsidiaries did the artwork. According to the Yahoo Finance link, "IBD also owns a library of original cartoon cel art (including He-Man, She-Ra, and Flash Gordon) [and] a 35% stake in Penthouse publisher Penthouse Media Group."

    *Disclaimer: I don't have a broker.

    --
    Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
  15. Freakin' Sweet by GabrielF · · Score: 5, Insightful
    Other fields in the compromised databases appear to be logins and passwords

    Woohoo! Free porn for everyone!

  16. More material for late night talk shows by ScooterBill · · Score: 2, Insightful

    I think it's kind of funny. My wife isn't really in on my porn habits but she isn't stupid and knows that sometimes her hubby isn't just "defragging the hard drive" in the basement.

    The funny part is when we get to see the "questionable" surfing habits of some famous self-righteous fundy preachers. I love it.

    Of course, it wouldn't be so funny if the entire credit card info got released...

  17. Time for an Open Porn Movement by AnonymousPrick · · Score: 5, Funny

    I suggest that the open-porn should be stored on "Freshmeat".

    --
    Saturday is April 1. Slashdot will be shut down. Sorry for the inconvenience.
  18. BIG DEAL? by HTTP+Error+403+403.9 · · Score: 2, Insightful
    They have names, addresses and phone numbers but no credit card numbers or social security numbers. Isn't this basically the same information you can find in the phone book?

    About the only thing one can do with this information is crank calls and spam.

    Big deal.

    --
    I'm not a Troll, it's reverse psychology.
  19. Still Online? by NoData · · Score: 4, Interesting
    FTFA:
    Last month, Sunbelt Software found an additional list of slightly over 1 million individual entries labeled Ibill_1m.txt on a spamming website. That list appeared to date from 2003.

    Hmm.

    http://www.google.com/search?q=Ibill_1m.txt
    [TXT] Ibill_1m.txt 08-Jun-2003 03:49 214M
    Thaaaat doesn't look good.

  20. That's what I don't get... by Anonymous Coward · · Score: 4, Informative

    What kind of moron buys porn? Hello? IT'S FREE ON TEH INTARWEBS, and especially on Usenet. There are people who literally get off on making and distributing porn of all varieties at no cost. They want you to watch.

    Unless your idea of hotness is overproduced Playboy-style photography with a combination of four different skin textures, three different lighting rigs, and sixteeen different gauze filters, you can get what you want on Usenet without risking your credit history.

    1. Re:That's what I don't get... by paco3791 · · Score: 2, Interesting

      I had an ex-girlfriend once, who I still kept in contact with for some reason, who broke up with her then fiance because he charged $500 of Pr0n onto her debit card. Not credit card, debit card! Besides the obvious "What a Tool!" At the time I remeber thinking "Wow, that is a lot of real money to spend on something I can find just laying around on the web". This was in the early days of P2P and bittorrent wasn't even on the scene yet and still you could bairly do a search on the web without some offer for free porn poping up.

      Still amazes me, to this day, how people can be so stupid/lazy that they spend enough money to keep an entire industry racking up the profits when free, legal alternatives abound.

    2. Re:That's what I don't get... by ettlz · · Score: 2, Funny
      What kind of moron buys porn?

      Same kind of moron who pays cash for some semi-naked woman to dance in front of him!

      I mean, you gotta make a chick work for sex!

  21. I feel a great disturbance in the Force..... by 8127972 · · Score: 3, Funny

    .....as if millions of computer geeks had cried out, and then became silent.

    --
    This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
  22. Know Your Congress by Doc+Ruby · · Score: 4, Funny

    grep -i 'senator' iBill.dat; grep -i 'representative' iBill.dat ; grep -i 'congress' iBill.dat

    --

    --
    make install -not war

  23. I don't think it was stolen. by eldavojohn · · Score: 4, Interesting

    After all, the article said that no pieces of information were stolen that required them (by law) to inform their customers. Pretty convenient, eh?

    I also noticed that they're from Deerfield Beach, Florida. Now, something odd about Deerfield Beach is its location. It's on the coast of Florida there. That unmarked island on the east side of the map? That would be Grand Bahama. Care to take a guess at what country it lies in?

    So my guess is that the company did this legally and by choice. They probably found some bum on the street who didn't ask questions and would like to recieve a paycheck. He's probably also the president of the company with very limited responsibilities and capabilities. They're also probably prepared to give him a briefcase full of $100,000 and a boat to take to Freeport. And also some cute documents for him to sign that might as well say that he shot JFK.

    Meanwhile, all the workers and people profiting off the deal claim they had no knowledge.

    --
    My work here is dung.
  24. Porn Leak by Anonymous Coward · · Score: 4, Funny

    I could swear that's the name of some Thai porn star.

  25. Whois data by NoData · · Score: 4, Interesting

    Anyone know if this guy is a known spammer? He's now upgraded to trafficking in stolen property.

    http://www.whois.net/whois.cgi2?d=5sec.us

    (sorry, lameness filter is being lame, here's just the basics badly formatted)

    Registrant Name Sean Rogers
    Registrant Organization Sean Rogers
    Registrant Address1 1275 Falkland Rd
    Registrant City Jacksonville
    Registrant State/Province FL
    Registrant Postal Code 32221
    Registrant Country United States
    Registrant Country Code US
    Registrant Phone Number +95.486824101
    Registrant Email gsmmax@mail.ru

  26. You forgot by WindBourne · · Score: 2, Informative

    grep -i "senator\|representative\|congress\|whitehouse" iBill.dat. There are sure to be plenty there.

    --
    I prefer the "u" in honour as it seems to be missing these days.
  27. What we need by lildogie · · Score: 3, Interesting

    What we need is for the name of some elected official(s) to be found in the data.

    Then we'll see swift lawmaking action to clamp down on leaks of personal information by merchants and money-handlers.

  28. So even those who give a f*ck ... by AHumbleOpinion · · Score: 3, Funny

    So even those who give a f*ck, who bend over backwards for their customers, who do all that is humanly possible, don't get security right. ;-)

  29. Re:Gullible morons by Bull999999 · · Score: 3, Funny

    They can lick my balls for all I care.

    They might take you upon that offer for their new Computer Geeks Gone Wild series.

    --
    1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
  30. News for Nerds... by jon.wolf · · Score: 5, Funny

    If ever a story qualified as, "News for Nerds. Stuff that Matters." -- this is it.

  31. Anonymous digital transactons won't be allowed by AHumbleOpinion · · Score: 3, Interesting

    If we used a decentralized, anonymous digital cash system, these kinds of problems would be much less common ... I suppose it's wishful thinking ... governments prefer being able to track all transactions.

    Exactly. You are more likely to see secure computers and honest people than anonymous digital transactions. Governments won't allow it. And no you do not have a US Constitutional right, quite the contrary, the US government has the Constitutional power to create currency, collect taxes, define felonies (say money laundering) and pass enacting legislation, etc.

  32. This is also used by the Washington Post by kalidasa · · Score: 2, Informative

    I know, I had a little scuffle with them last week because I couldn't change my CC# on my Washington Post Online subscription. So not all the names are pr0n buyers.

    1. Re:This is also used by the Washington Post by tvalley000 · · Score: 2, Interesting

      iBill.com was also used by the Make Money Fast Hall of Humiliation (mmfhoh.org) back in 1997. Don't know if any of the members are in the lists, or if even the exposed names go back to 1997, but this would be baaaaaad for those members that received death-threats back in the day for their activities.

  33. Re:different rules for porn watchers by Anonymous Coward · · Score: 2, Informative

    Uh... isn't Maxim basically soft porn?

    Maxim would be mild erotica. When the pussy makes it's appearance is where soft porn begins. Even then I would classify that as mild erotica.

  34. Heres the actual list.... by XMilkProject · · Score: 4, Informative

    You can actually download this 214mb list of information here:
    http://5sec.us/Ibill_1m.txt
    I don't know why you'd want it, maybe you can use the passwords or something. But there it is anyway.

    --
    Big ones, small ones, some as big as yer 'ead!
    Give 'em a twist, a flick o' the wrist...
    1. Re:Heres the actual list.... by Afty0r · · Score: 2, Informative

      It is a 214MB file on a fairly weak host. By posting the URL to Slashdot the parent has almost certainly gauranteed that FEWER people will get the file in coming days than if he had not acted as such.

      To link from Slashdot to a file nearly a quarter of a gig large is surely meant in jest? :)

  35. Everyone seems to be forgetting... by Psykosys · · Score: 5, Informative
    that an estimated 25% of the transactions weren't for porn. Unless the customer information is associated with the purchase information (it sounded to me like the account axx infomation was in separate, unlinked records), the leak has much fewer social implications than commenters here seem to be implying.

    Livejournal, for example, was offering payment through iBill during the time covered by the leak (run that link through Archive.org if you care to verify, /. filters the part following the asterisk).

    1. Re:Everyone seems to be forgetting... by ignavus · · Score: 2, Funny

      And suddenly the number of people claiming to read LiveJournal climbs through the roof.

      "Each copy must be getting read by several thousand people, if that is the case", said the circulation manager of LiveJournal. "Perhaps we should put our membership list on the web next week ... hurry up, folks, you just have time to subscribe right now."

      And in the Congress lobby this week, the biggest topic in conversation was "Did you see that article in LiveJournal..? I read it all the time."

      --
      I am anarch of all I survey.
  36. Re:HAH by kunakida · · Score: 2, Funny

    So what I want to know is... how many Sunday Sermon TV jockeys are on the list? Now _there's_ one for Conan O'Brien.

  37. Well, that explains why I'm getting more spam... by sstamps · · Score: 2, Informative

    I was a subscriber to the MMORPG Horizons, which used to use iBill as their payment processor (they use iPay now; not much of a difference, really). I used new mail accounts I set up specifically for the game, and all of a sudden, about a month ago, I started getting tons of spam on them.

    I figured my email addresses had been sold by one of those sleazebag payment processors. Turns out they aren't evil, they're just STUPID.

    --
    -SS "Teach the ignorant, care for the dumb, and punish the stupid."
  38. Re:The IP information is invaluable by daverabbitz · · Score: 2, Informative

    That's all very well and good, until you remember that most people still have dynamic IP addresses, even on cable/dsl.

    --
    What could be better than a jet powered motorcycle? http://www.youtube.com/watch?v=u8l6GTHLSWE
  39. Darn that name by phorm · · Score: 2, Informative

    As an admin at my previous job, I often searched SF.net and freshmeat for open-source/free solutions. At one point, our ISP's caching filter decided to regularly boink the freshmeat site, which resulted in the site autobanning one of the upstream routers.

    It was a really fun thing trying to explain to the ISP person why they should put in an caching exemption for a site called "freshmeat", and what the actual content of said site was.

  40. IP adresses? by JThundley · · Score: 4, Funny

    "The stolen data, examined by Wired News, includes names, phone numbers, addresses, e-mail addresses and internet IP addresses."

    So it included the internet internet protocol addresses? I keep my internet IP address next to my PIN number at the ATM machine.

  41. Wired is not credible by Ohreally_factor · · Score: 2, Funny

    I don't believe this, and I won't be satisfied until I carefully examine the list of logins and passwords to the alleged pr0n sites.

    --
    It's not offtopic, dumbass. It's orthogonal.
  42. people don't realize by recharged95 · · Score: 2, Insightful

    that there's no such thing as anonymity on the internet.

  43. iBill leak is a fake. by MacDork · · Score: 2, Informative
    According to this Wired article, the iBill data is fake:
    But Spaniak says iBill cross referenced the 17 million transaction database against its own on Wednesday, and that only three e-mail addresses matched between the two.

    and

    Wired News found that entries from the smaller cache of one million consumers are listed as mortgage leads on a spammer community site, specialham.com. A Google search turns up scores of offers on specialham.com for purported iBill databases, one of them advertising "20mill ibill list w/Full data from 2003" for $300. But in one message, a spammer slams an underground vendor for selling him a fake iBill list.